Cant seem to get prompt no to work

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Cant seem to get prompt no to work

Robert Moskowitz
In the [ ca ] section I have:

prompt   = no

If I leave the = out I get an error, so I am assuming I got the format
of this right.

Then I have

[ req ]
distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName                     = $ENV::countryName
stateOrProvinceName             = $ENV::stateOrProvinceName

In a terminal window I run:

export countryName=US
export stateOrProvinceName=MI

then

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem


And I am still getting prompted for the DN fields:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
US []:

What did I miss?

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

OpenSSL - User mailing list
In the CA section, you have to specify which fields you need/want in the DN.  This is the “policy” identifier which points to a section that names the RDN’s you want/need.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote:
> In the CA section, you have to specify which fields you need/want in the DN.  This is the “policy” identifier which points to a section that names the RDN’s you want/need.
>
I have that:

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
#     dir               = /root/ca
certs             = $ENV::dir/certs
crl_dir           = $ENV::dir/crl
new_certs_dir     = $ENV::dir/newcerts
database          = $ENV::dir/index.txt
serial            = $ENV::dir/serial
RANDFILE          = $ENV::dir/private/.rand

# The root key and root certificate.
private_key       = $ENV::dir/private/ca.key.pem
certificate       = $ENV::dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $ENV::dir/crlnumber
crl               = $ENV::dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict
prompt            = no

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions      = req_ext

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = $ENV::countryName
stateOrProvinceName             = $ENV::stateOrProvinceName
localityName                    = $ENV::localityName
0.organizationName              = $ENV::organizationName
organizationalUnitName          = $ENV::organizationalUnitName
commonName                      = $ENV::commonName

[ req_ext ]
subjectAltName = email:$ENV::adminemail


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

OpenSSL - User mailing list
Use the –batch flag to avoid all prompting

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/17/2017 04:09 PM, Salz, Rich wrote:
> Use the –batch flag to avoid all prompting
>
I commented out the prompt line and tried again:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
 >       -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out
certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
error, no objects specified in config file
problems making Certificate Request

Is it not liking the use of ENV for the DN objects?  It worked for
$ENV::dir...

export

...

declare -x adminemail="[hidden email]"
declare -x commonName="Root CA"
declare -x countryName="US"
declare -x dir="/root/ca"
declare -x localityName="Oak Park"
declare -x organizationName="HTT Consulting"
declare -x organizationalUnitName=""
declare -x stateOrProvinceName="MI"


[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = $ENV::countryName
stateOrProvinceName             = $ENV::stateOrProvinceName
localityName                    = $ENV::localityName
0.organizationName              = $ENV::organizationName
organizationalUnitName          = $ENV::organizationalUnitName
commonName                      = $ENV::commonName


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/17/2017 04:17 PM, Robert Moskowitz wrote:

>
>
> On 08/17/2017 04:09 PM, Salz, Rich wrote:
>> Use the –batch flag to avoid all prompting
>>
> I commented out the prompt line and tried again:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
> >       -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out
> certs/ca.cert.pem
> Enter pass phrase for private/ca.key.pem:
> error, no objects specified in config file
> problems making Certificate Request
>
> Is it not liking the use of ENV for the DN objects?  It worked for
> $ENV::dir...
>
> export
>
> ...
>
> declare -x adminemail="[hidden email]"
> declare -x commonName="Root CA"
> declare -x countryName="US"
> declare -x dir="/root/ca"
> declare -x localityName="Oak Park"
> declare -x organizationName="HTT Consulting"
> declare -x organizationalUnitName=""
> declare -x stateOrProvinceName="MI"
>
>
> [ req_distinguished_name ]
> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
> countryName                     = $ENV::countryName
> stateOrProvinceName             = $ENV::stateOrProvinceName
> localityName                    = $ENV::localityName
> 0.organizationName              = $ENV::organizationName
> organizationalUnitName          = $ENV::organizationalUnitName
> commonName                      = $ENV::commonName
>
>
I don't think it is the use of $ENV, as the following in cnf got the
same failure:

countryName                     = US
stateOrProvinceName             = MI
localityName                    = "Oak Park"
0.organizationName              = "HTT Consulting"
organizationalUnitName          =
commonName                      = "Root CA"

I have removed the _default entries....


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz
In reply to this post by Robert Moskowitz


On 08/17/2017 04:17 PM, Robert Moskowitz wrote:

>
>
> On 08/17/2017 04:09 PM, Salz, Rich wrote:
>> Use the –batch flag to avoid all prompting
>>
> I commented out the prompt line and tried again:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
> >       -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out
> certs/ca.cert.pem
> Enter pass phrase for private/ca.key.pem:
> error, no objects specified in config file
> problems making Certificate Request
>
> Is it not liking the use of ENV for the DN objects?  It worked for
> $ENV::dir...
>
> export
>
> ...
>
> declare -x adminemail="[hidden email]"
> declare -x commonName="Root CA"
> declare -x countryName="US"
> declare -x dir="/root/ca"
> declare -x localityName="Oak Park"
> declare -x organizationName="HTT Consulting"
> declare -x organizationalUnitName=""
> declare -x stateOrProvinceName="MI"
>
>
> [ req_distinguished_name ]
> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
> countryName                     = $ENV::countryName
> stateOrProvinceName             = $ENV::stateOrProvinceName
> localityName                    = $ENV::localityName
> 0.organizationName              = $ENV::organizationName
> organizationalUnitName          = $ENV::organizationalUnitName
> commonName                      = $ENV::commonName
>
>
When I put the prompt = no in the beginning of the [req] section ( saw
that on one site), I get:

problems making Certificate Request
140134179792760:error:0D07A098:asn1 encoding
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1

Is ENV not working in [req_distinguished_name]?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

OpenSSL - User mailing list
> declare -x organizationalUnitName=""
> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
   
You are setting an empty OU.  You should not set it and see if that works
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz
ARGH!!!

On 08/17/2017 05:38 PM, Salz, Rich wrote:
>> declare -x organizationalUnitName=""
>> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
>    
> You are setting an empty OU.  You should not set it and see if that works

So now I have to figure out how to handle an empty variable.  Need to
see what will happen if the variable has a value of "." that the
prompting takes for dropping that object...

The resultant cert does not have the SAN.  That is another thing I need
to figure out.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz
In reply to this post by OpenSSL - User mailing list


On 08/17/2017 05:38 PM, Salz, Rich wrote:
>> declare -x organizationalUnitName=""
>> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
>    
> You are setting an empty OU.  You should not set it and see if that works
>      
>
organizationalUnitName = "."  puts a . in it.  So I have to figure out a
way to drop that line from the config.

like if a field is not needed:

sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w
/dev/stdout" openssl-root.cnf


But this is not quite right.  I have to find the one that has ENV in
it.  I DO have an example of one such to use...


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Jakob Bohm-7
On 18/08/2017 00:09, Robert Moskowitz wrote:

>
>
> On 08/17/2017 05:38 PM, Salz, Rich wrote:
>>> declare -x organizationalUnitName=""
>>> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
>>     You are setting an empty OU.  You should not set it and see if
>> that works
>>
> organizationalUnitName = "."  puts a . in it.  So I have to figure out
> a way to drop that line from the config.
>
> like if a field is not needed:
>
> sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w
> /dev/stdout" openssl-root.cnf
>
>
> But this is not quite right.  I have to find the one that has ENV in
> it.  I DO have an example of one such to use...
>
>
Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/17/2017 07:01 PM, Jakob Bohm wrote:

> On 18/08/2017 00:09, Robert Moskowitz wrote:
>>
>>
>> On 08/17/2017 05:38 PM, Salz, Rich wrote:
>>>> declare -x organizationalUnitName=""
>>>> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
>>>     You are setting an empty OU.  You should not set it and see if
>>> that works
>>>
>> organizationalUnitName = "."  puts a . in it.  So I have to figure
>> out a way to drop that line from the config.
>>
>> like if a field is not needed:
>>
>> sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w
>> /dev/stdout" openssl-root.cnf
>>
>>
>> But this is not quite right.  I have to find the one that has ENV in
>> it.  I DO have an example of one such to use...
>>
>>
> Given all these problems with the Distinguished Name prompting
> mechanism, just add the -subject option to the req command line
> (using appropriate environment variables in the shell script).

Always an option, Jakob.  I have done this in the past for my
self-signed certs.  I am trying the config approach now.  But I may step
back...

I AM making my CA certs.  With a SAN caviat in the root cert.

Slow progress.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Dr. Stephen Henson
In reply to this post by Robert Moskowitz
On Thu, Aug 17, 2017, Robert Moskowitz wrote:

> In the [ ca ] section I have:
>
> prompt   = no
>
> If I leave the = out I get an error, so I am assuming I got the
> format of this right.
>
> Then I have
>
> [ req ]
> distinguished_name  = req_distinguished_name
>
> [ req_distinguished_name ]
> countryName                     = $ENV::countryName
> stateOrProvinceName             = $ENV::stateOrProvinceName
>
> In a terminal window I run:
>
> export countryName=US
> export stateOrProvinceName=MI
>
> then
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.pem
>
>
> And I am still getting prompted for the DN fields:
>
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> US []:
>
> What did I miss?
>

Since this is the req command try "prompt = no" in the req section.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote:

> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>
>> In the [ ca ] section I have:
>>
>> prompt   = no
>>
>> If I leave the = out I get an error, so I am assuming I got the
>> format of this right.
>>
>> Then I have
>>
>> [ req ]
>> distinguished_name  = req_distinguished_name
>>
>> [ req_distinguished_name ]
>> countryName                     = $ENV::countryName
>> stateOrProvinceName             = $ENV::stateOrProvinceName
>>
>> In a terminal window I run:
>>
>> export countryName=US
>> export stateOrProvinceName=MI
>>
>> then
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>> certs/ca.cert.pem
>>
>>
>> And I am still getting prompted for the DN fields:
>>
>> You are about to be asked to enter information that will be incorporated
>> into your certificate request.
>> What you are about to enter is what is called a Distinguished Name or a DN.
>> There are quite a few fields but you can leave some blank
>> For some fields there will be a default value,
>> If you enter '.', the field will be left blank.
>> -----
>> US []:
>>
>> What did I miss?
>>
> Since this is the req command try "prompt = no" in the req section.

Thank you, but I did get past this point.  I got prompt no working and
the way it worked, just did not work well enough.

I threw the towel in on ENV and did get -subj $DN working...

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Peter Sylvester-4
In reply to this post by Dr. Stephen Henson
On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:

> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>
>> In the [ ca ] section I have:
>>
>> prompt   = no
>>
>> If I leave the = out I get an error, so I am assuming I got the
>> format of this right.
>>
>> Then I have
>>
>> [ req ]
>> distinguished_name  = req_distinguished_name
>>
>> [ req_distinguished_name ]
>> countryName                     = $ENV::countryName
>> stateOrProvinceName             = $ENV::stateOrProvinceName
>>
>> In a terminal window I run:
>>
>> export countryName=US
>> export stateOrProvinceName=MI
What about:

[ req_distinguished_name ]
countryName                     = "Country Nmae (e.g. FR)"
countryName_value                     = $ENV::countryName
stateOrProvinceName             = "State or Province"
stateOrProvinceName_value             = $ENV::stateOrProvinceName

 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant seem to get prompt no to work

Robert Moskowitz


On 08/19/2017 04:00 AM, Peter Sylvester wrote:

> On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:
>> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>>
>>> In the [ ca ] section I have:
>>>
>>> prompt   = no
>>>
>>> If I leave the = out I get an error, so I am assuming I got the
>>> format of this right.
>>>
>>> Then I have
>>>
>>> [ req ]
>>> distinguished_name  = req_distinguished_name
>>>
>>> [ req_distinguished_name ]
>>> countryName                     = $ENV::countryName
>>> stateOrProvinceName             = $ENV::stateOrProvinceName
>>>
>>> In a terminal window I run:
>>>
>>> export countryName=US
>>> export stateOrProvinceName=MI
> What about:
>
> [ req_distinguished_name ]
> countryName                     = "Country Nmae (e.g. FR)"
> countryName_value                     = $ENV::countryName
> stateOrProvinceName             = "State or Province"
> stateOrProvinceName_value             = $ENV::stateOrProvinceName
>
>  
>
And what happens when you have

stateOrProvinceName=

the length of stateOrProvinceName_value is zero.

When stateOrProvinceName was length zero, I got the error.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users