scripting creating a cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

scripting creating a cert

Robert Moskowitz
I am creating self-signed certs with:

openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days
3650 -x509 -extensions v3_req

Where, for example:

your_host_tld=z9m9z.test.htt-consult.com

Thing is that this then prompts for a number of fields:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Is there some 'simple' way to provide these answers?  Like with env
variables?

thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

OpenSSL - User mailing list
Yes there are easier ways to do this.  Set up a conf file and use it (via the -conf flag).  You can use env vars, set default values, and so on.  Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/

For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz
 

PS -- find me in Chicago and I can answer questions, Robert :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Jan Danielsson-3
In reply to this post by Robert Moskowitz
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
> Is there some 'simple' way to provide these answers?  Like with env
> variables?

   I tend do create response files (one response per line) and then
simply pipe to openssl:

   $ cat foo.params | openssl ...

   Just make sure openssl doesn't need any password inputs.

--
Kind regards,
Jan Danielsson

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz
In reply to this post by OpenSSL - User mailing list
Hi, Rich.

Fancy meeting you here.

On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote:
> Yes there are easier ways to do this.  Set up a conf file and use it (via the -conf flag).  You can use env vars, set default values, and so on.  Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/

Not easy enough for me.  But I will have to read it some more.

> For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz

'Fuller' is putting it mildly.  :)

> PS -- find me in Chicago and I can answer questions, Robert :)

Plan on it!

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Viktor Dukhovni
In reply to this post by Robert Moskowitz

> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <[hidden email]> wrote:
>
> I am creating self-signed certs with:
>
> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req
>
> Where, for example:
>
> your_host_tld=z9m9z.test.htt-consult.com
>
> Thing is that this then prompts for a number of fields

The simplest solution is to set the subject DN explicitly on the command-line:

   $ umask 077 # avoid world-readable private keys
   $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \
        -x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
        -days 3650 -extensions v3_req

Fore more advanced related approaches see:

    https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz
In reply to this post by Jan Danielsson-3
Jan,

On 03/09/2017 08:06 PM, Jan Danielsson wrote:
> On 03/10/17 00:49, Robert Moskowitz wrote:
> [---]
>> Is there some 'simple' way to provide these answers?  Like with env
>> variables?
>     I tend do create response files (one response per line) and then
> simply pipe to openssl:
>
>     $ cat foo.params | openssl ...

I will try a few things out with this.

thanks

>     Just make sure openssl doesn't need any password inputs.
>

It doesn't for this command.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz
In reply to this post by Viktor Dukhovni
Viktor,

On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:

>> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>> I am creating self-signed certs with:
>>
>> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req
>>
>> Where, for example:
>>
>> your_host_tld=z9m9z.test.htt-consult.com
>>
>> Thing is that this then prompts for a number of fields
> The simplest solution is to set the subject DN explicitly on the command-line:
>
>     $ umask 077 # avoid world-readable private keys

Perhaps (no perhaps about it) this is old information, but I picked up
that I needed:

chmod 640 for the private keys for Apache.  (and postfix and others use
these certs; at least they are in their confs)

>     $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \
> -x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
> -days 3650 -extensions v3_req
>
> Fore more advanced related approaches see:
>
>      https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh

Looks like this is pointing me in the direction I want to go.  I will
dig more into this approach.

thank you


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Viktor Dukhovni

> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <[hidden email]> wrote:
>
>>   $ umask 077 # avoid world-readable private keys
>
> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>
> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)

I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz


On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:

>> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>>>    $ umask 077 # avoid world-readable private keys
>> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>>
>> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
> I strive to avoid the private disclosure race of first creating
> a world-readable file, and then trying to do a quick chmod before
> the bad guys get around to opening it.  That's why I recommend the
> umask approach.
>
> You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
> if I recall correctly "keyout" files and the like are automatically
> opened mode "0600". Rich Salz, who wrote the CLI option processing
> code for 1.1.0 will correct me, if my memory if faulty.  There are
> still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
> always figure out which files end up having private keys in them,
> so the umask approach is a good precaution to keep using.

And Rich and I sit down and talk about things all the time at IETF. This
time we will have some other items to discuss.

And since this will go into a world-readable (eventually) howto, this is
good advice that I will work on incorporating.

Thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Jochen Bern
In reply to this post by Robert Moskowitz
On 03/10/2017 01:10 AM, [hidden email] digested:
> Thing is that this then prompts for a number of fields:
[...]
> Is there some 'simple' way to provide these answers?  Like with env
> variables?

Yes, and as others have already pointed out, there's also the
possibility of command line parameters given to OpenSSL.

A publicly available set of scripts that makes heavy use of the env var
method and might serve as an example would be easyRSA (here, version 3):

> # grep EASYRSA_REQ_ openssl-1.0.cnf
> commonName_default      = $ENV::EASYRSA_REQ_CN
> countryName_default             = $ENV::EASYRSA_REQ_COUNTRY
> stateOrProvinceName_default     = $ENV::EASYRSA_REQ_PROVINCE
> localityName_default            = $ENV::EASYRSA_REQ_CITY
> 0.organizationName_default      = $ENV::EASYRSA_REQ_ORG
> organizationalUnitName_default  = $ENV::EASYRSA_REQ_OU
> commonName_default              = $ENV::EASYRSA_REQ_CN
> emailAddress_default            = $ENV::EASYRSA_REQ_EMAIL

> # grep EASYRSA_REQ_ easyrsa | grep -v ';;'
>         [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
>         [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
>         EASYRSA_REQ_CN="$name"
>         set_var EASYRSA_REQ_COUNTRY     "US"
>         set_var EASYRSA_REQ_PROVINCE    "California"
>         set_var EASYRSA_REQ_CITY        "San Francisco"
>         set_var EASYRSA_REQ_ORG         "Copyleft Certificate Co"
>         set_var EASYRSA_REQ_EMAIL       [hidden email]
>         set_var EASYRSA_REQ_OU          "My Organizational Unit"
>         set_var EASYRSA_REQ_CN          ChangeMe
https://github.com/OpenVPN/easy-rsa

Kind regards,
--
Jochen Bern
Systemingenieur


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz
Very nice.  But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert.  It would take a fair bit of digging to dig out what I need for now.

Definitely something I will look into soon, as providing a simple PKI for a small installation has long been on my list.  But the effort name is limiting.  What about ECDSA and EDDSA certs?  :)

On 03/10/2017 06:58 AM, Jochen Bern wrote:
On 03/10/2017 01:10 AM, [hidden email] digested:
Thing is that this then prompts for a number of fields:
[...]
Is there some 'simple' way to provide these answers?  Like with env 
variables?
Yes, and as others have already pointed out, there's also the
possibility of command line parameters given to OpenSSL.

A publicly available set of scripts that makes heavy use of the env var
method and might serve as an example would be easyRSA (here, version 3):

# grep EASYRSA_REQ_ openssl-1.0.cnf 
commonName_default      = $ENV::EASYRSA_REQ_CN
countryName_default             = $ENV::EASYRSA_REQ_COUNTRY
stateOrProvinceName_default     = $ENV::EASYRSA_REQ_PROVINCE
localityName_default            = $ENV::EASYRSA_REQ_CITY
0.organizationName_default      = $ENV::EASYRSA_REQ_ORG
organizationalUnitName_default  = $ENV::EASYRSA_REQ_OU
commonName_default              = $ENV::EASYRSA_REQ_CN
emailAddress_default            = $ENV::EASYRSA_REQ_EMAIL

      
# grep EASYRSA_REQ_ easyrsa | grep -v ';;'
        [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
        [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
        EASYRSA_REQ_CN="$name"
        set_var EASYRSA_REQ_COUNTRY     "US"
        set_var EASYRSA_REQ_PROVINCE    "California"
        set_var EASYRSA_REQ_CITY        "San Francisco"
        set_var EASYRSA_REQ_ORG         "Copyleft Certificate Co"
        set_var EASYRSA_REQ_EMAIL       [hidden email]
        set_var EASYRSA_REQ_OU          "My Organizational Unit"
        set_var EASYRSA_REQ_CN          ChangeMe
https://github.com/OpenVPN/easy-rsa

Kind regards,




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: scripting creating a cert

Robert Moskowitz
In reply to this post by Viktor Dukhovni
Viktor,

On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:

>> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>>>    $ umask 077 # avoid world-readable private keys
>> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>>
>> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
> I strive to avoid the private disclosure race of first creating
> a world-readable file, and then trying to do a quick chmod before
> the bad guys get around to opening it.  That's why I recommend the
> umask approach.
>
> You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
> if I recall correctly "keyout" files and the like are automatically
> opened mode "0600". Rich Salz, who wrote the CLI option processing
> code for 1.1.0 will correct me, if my memory if faulty.  There are
> still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
> always figure out which files end up having private keys in them,
> so the umask approach is a good precaution to keep using.

Rich got me some help and I have put the following together:

Set the following variables:

countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld

Then the following commands create the certs:

restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=localhost

openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
$restore_mask


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] scripting creating a cert

TimN
In reply to this post by Robert Moskowitz
Hi, did you get your answer to this? I just discovered 134 messages in the folder I'd set up for receiving said messages...and promptly forgot to check for same.

I just went through this exercise and have set up my configuration files and bash script to generate certificates.

-TN (Tim)

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Robert Moskowitz
Sent: Thursday, March 09, 2017 15:50
To: [hidden email]
Subject: [EXTERNAL] [openssl-users] scripting creating a cert

I am creating self-signed certs with:

openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days
3650 -x509 -extensions v3_req

Where, for example:

your_host_tld=z9m9z.test.htt-consult.com

Thing is that this then prompts for a number of fields:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Is there some 'simple' way to provide these answers?  Like with env variables?

thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users