On 11/2/2012 5:20 PM, Felipe Gasper wrote:
> Hi all,
>
> What ways other than the interactive command shell are available
> for setting a CSR’s challenge password attribute?
>
> I can’t find a command-line switch that does it, and perl’s
> Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either.
>
> Thanks!
>
It is set via the passed in config file. Specifically, the openssl req
command looks in the [req] section for a line named "attributes", then
the value of that line is the name of another section (without the []).
In that other section, there are lines describing what attributes to
put in the CSR, if there should be any prompting and what the value
should be if not prompting.
So to not prompt for a challenge password and not put a challenge
password in the CSR (the most common need for this), simply do
not mention the challenge password in that section
[req]
...
attributes = req_attributes
[req_attributes]
; Nothing here
To set a specific challenge password in the CSR without prompting
invoke openssl req -config secretfiles/thisreq.cnf where
secretfiles/thisreq.cnf is a modified openssl.cnf with these changes:
; Make sure to prevent others from reading this temp config file
; and wipe it securely after use
[req]
...
attributes = thisreq_attributes
[thisreq_attributes]
challengePassword_default = VerySecretWordTheyCannotGuessThisHaHa
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded