Automating Openssl commands
Kwan Hon Luen
I am currently using Openssl to generate CA and server/client key certs.
Right now, the Openssl prompt me for password when generating CA key/cert:
openssl req -new -x509 -days 3650 -keyout cakey.pem -out
trusted_ca_cert.pem -config openssl.cnf
(1) Is there a way to use the password as a parameter so that I can create
the CA key/cert with just one command, without any password prompting?
The command below is for generating client/server key/cert. It prompt me for
password, the CN, etc.
openssl req -new -keyout test_key.pem -out test_request.pem -config
openssl.cnf
(2) Is there a way to use the password, CN,etc as parameters so that I can
create the CA key/cert with just one command, without any password, CN, etc
prompting?
The command below is for certifying the client/server cert using the CA. It
prompt me to approve the certifying.
openssl ca -policy policy_anything -out test_cert.pem -config
openssl.cnf -infiles test_new.pem
(3) Is there a way to use parameter such that the command will not prompt me
to confirm certifying the certificate?
Thanks.
Hon Luen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Marcus Carey
parameters.
[req]
input_password =
output_password =
Marcus
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003
Kwan Hon Luen
Thanks.
How do I automate the creation of certificate as well by supplying the
following attributes?
countryName
stateOrProvinceName
localityName
organizationName
organizationalUnitName
commonName
Thanks.
Hon Luen
Dr. Stephen Henson
> Hi ,
>
> I am currently using Openssl to generate CA and server/client key certs.
>
> Right now, the Openssl prompt me for password when generating CA key/cert:
>
> openssl req -new -x509 -days 3650 -keyout cakey.pem -out
> trusted_ca_cert.pem -config openssl.cnf
>
> (1) Is there a way to use the password as a parameter so that I can create
> the CA key/cert with just one command, without any password prompting?
>
> The command below is for generating client/server key/cert. It prompt me for
> password, the CN, etc.
>
> openssl req -new -keyout test_key.pem -out test_request.pem -config
> openssl.cnf
>
> (2) Is there a way to use the password, CN,etc as parameters so that I can
> create the CA key/cert with just one command, without any password, CN, etc
> prompting?
>
> The command below is for certifying the client/server cert using the CA. It
> prompt me to approve the certifying.
>
> openssl ca -policy policy_anything -out test_cert.pem -config
> openssl.cnf -infiles test_new.pem
>
> (3) Is there a way to use parameter such that the command will not prompt me
> to confirm certifying the certificate?
>
This is all documented in the relevant manual pages:
Many OpenSSL commands take -passin and -passout arguments allowing password or
password sources to be specified on the command line.
The fields for req can be specified in the config file without prompting: see
req manual page.
The x509 utility can also be used to sign certificate requests without
promting.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.
Michael Czapski
echo [ req ] > abc\abc_csr.conf
echo distinguished_name=req_distinguished_name >> abc\abc_csr.conf
echo req_extensions = v3_req >> abc\abc_csr.conf
echo prompt=no >> abc\abc_csr.conf
echo [ req_distinguished_name ] >> abc\abc_csr.conf
echo C=AU >> abc\abc_csr.conf
echo ST=New South Wales >> abc\abc_csr.conf
echo L=Sydney >> abc\abc_csr.conf
echo O=Doddgy Brothers Very Limited >> abc\abc_csr.conf
echo OU=Security Division >> abc\abc_csr.conf
echo CN=a...@abc.def.com >> abc\abc_csr.conf
echo emailAddress=a...@abc.def.com >> abc\abc_csr.conf
echo [ v3_req ] >> abc\abc_csr.conf
echo basicConstraints = critical,CA:FALSE >> abc\abc_csr.conf
echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment, keyAgreement >> abc\abc_csr.conf
echo extendedKeyUsage=emailProtection,clientAuth >> abc\abc_csr.conf
.\bin\openssl req -outform PEM -out abc\abc.pem.csr -key
abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config
abc\abc_csr.conf -passin pass:somepassphrase
Cheers
Hi ,
Thanks.
Thanks.
Hon Luen
> > Thanks.
> >
> > Hon Luen
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openss...@openssl.org
> > Automated List Manager majo...@openssl.org
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003
>
pablo
I'm developing a CA which automates this stuff that you need, maybe it
could help you (http://cultura.eii.us.es/~pablo/elyca/), it's free
software and still an early release but if you only need to do generate
certs for your servers I suppose it's enough for you. There's also
similar free-software outthere (have a look at freshmeat).
Pablo
Kwan Hon Luen
How do I automate the signing of server certificate by a CA ?
without the following prompt:
(1) "Enter PEM pass phrase:"
(2) "Sign the certificate?"
(3) "commit?"
Thanks.
Hon Luen
F:\openssl_test>openssl ca -policy policy_anything -out
test_cert.pem -config test.conf -infiles test_new.pem
Using configuration from test.conf
Loading 'screen' into random state - done
Enter PEM pass phrase: ********
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'AU'
stateOrProvinceName :PRINTABLE:'AU'
localityName :PRINTABLE:'AU'
organizationName :PRINTABLE:'TEST'
organizationalUnitName:PRINTABLE:'TEST'
commonName :PRINTABLE:'192.168.168.222'
Certificate is to be certified until Jun 5 08:25:47 2004 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003
> >
Dr. Stephen Henson
> Hi,
>
> How do I automate the signing of server certificate by a CA ?
> without the following prompt:
>
> (1) "Enter PEM pass phrase:"
> (2) "Sign the certificate?"
> (3) "commit?"
>
Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.
pablo neira
>On Fri, Jun 06, 2003, Kwan Hon Luen wrote:
>
>
>
>>Hi,
>>
>>How do I automate the signing of server certificate by a CA ?
>>without the following prompt:
>>
>>(1) "Enter PEM pass phrase:"
>>(2) "Sign the certificate?"
>>(3) "commit?"
>>
>>
>>
>
>Use the 'x509' utility instead, passphrase can be entered via -passin there
>are no other prompts.
>
but this way you don't keep the index.txt file the all valid
certificates generated, so it seems there's no way to automate the
process by using the 'ca' utility, am I right?
Thanks
Pablo
Dr. Stephen Henson
> Dr. Stephen Henson wrote:
>
> >On Fri, Jun 06, 2003, Kwan Hon Luen wrote:
> >
> >
> >
> >>Hi,
> >>
> >>How do I automate the signing of server certificate by a CA ?
> >>without the following prompt:
> >>
> >>(1) "Enter PEM pass phrase:"
> >>(2) "Sign the certificate?"
> >>(3) "commit?"
> >>
> >>
> >>
> >
> >Use the 'x509' utility instead, passphrase can be entered via -passin there
> >are no other prompts.
> >
>
> but this way you don't keep the index.txt file the all valid
> certificates generated, so it seems there's no way to automate the
> process by using the 'ca' utility, am I right?
>
Well if you need 'ca' you can try the -batch option.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.
Charles B Cranston
is that ca appears to be the ONLY binary program that can sign
SPKAC files. Is there another way to do this that I have missed?
--
Charles B (Ben) Cranston
mailto: zb...@umd.edu
http://www.wam.umd.edu/~zben
Dr. Stephen Henson
> Steve, the other reason I've been forced to move from x509 to ca
> is that ca appears to be the ONLY binary program that can sign
> SPKAC files. Is there another way to do this that I have missed?
>
Well if you need SPKAC support then yes currently you also need to use 'ca'.
Similarly if you need to generate CRLs.
Kwan Hon Luen
Is there a way to automate the signing of server certificate by a CA ?
without the following prompt:
(1) "Enter PEM pass phrase:"
(2) "Sign the certificate?"
(3) "commit?"
Thanks.
Hon Luen
> >>>
> >>>Use the 'x509' utility instead, passphrase can be entered via -passin
there
> >>>are no other prompts.
> >>>
> >>
> >>but this way you don't keep the index.txt file the all valid
> >>certificates generated, so it seems there's no way to automate the
> >>process by using the 'ca' utility, am I right?
> >>
> >
> >
> > Well if you need 'ca' you can try the -batch option.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson.
> > Core developer of the OpenSSL project: http://www.openssl.org/
> > Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
> > Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openss...@openssl.org
> > Automated List Manager majo...@openssl.org
> >
>
>
> --
> Charles B (Ben) Cranston
> mailto: zb...@umd.edu
> http://www.wam.umd.edu/~zben
>