On Fri, Sep 27, 2002 at 05:42:56PM +0200, Mathieu Arnold wrote: > I've been going through the list archive, and I can't find out how to > script certificate creation. > the ideal thing would be to be able to specify things like : > openssl req -new -x509 -days 3650 -text -out cert.pem -keyout cert.pem > -passphrase "my stupid passphrase" -country FR -state Marne -locality Reims > -organisation "my organisation" -organisationalunit "my unit" -commonname > "mathieu arnold" -email "[EMAIL PROTECTED]" > > I was wondering if something similar could be done (even using a file to > store the informations)
Yes, write the info to a config file and pass that as -config. At least, that's how I do it. e.g.: open(REQCONF, ">$tmpdir/reqconf"); print REQCONF <<EOF; [req] distinguished_name=req_disinguished_name attributes=req_attributes prompt=no [req_attributes] [req_distinguished_name] emailAddress=$email EOF for (reverse split(/, */, $dn)) { if (/^[a-zA-Z0-9]+=./) { print REQCONF $_; } } openssl("req", "-new", "-config", "$tmpdir/reqconf", "-key", "$tmpdir/key", "-out", "$tmpdir/req"); openssl("x509", "-req", "-extensions", "${certype}_cert", "-extfile", "$cadir/tinyca-openssl.cnf", "-in", "$tmpdir/req", "-CA", "$cadir/public/ca-crt.pem", "-CAkey", "$cadir/private/ca-key.pem", "-CAserial", "$cadir/private/serial", "-text", "-out", "$tmpdir/newcert"); HTH. Feedback appreciated. Maybe the OpenCA Perl modules would make this a whole lot easier. Or just writing an application to replace "req" to do what I want. Hmmm. SRH -- Steve Haslam Reading, UK [EMAIL PROTECTED] Debian GNU/Linux Maintainer [EMAIL PROTECTED] almost called it today, turned to face the void, numb with the suffering and the question- "Why am I?" [queensr˙che] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]