Hi,
While creating self signed certificates and certificate requests use -subj to specify the
the subject name and -nodes for not prompting for password (private key will not be encrypted)
the subject name and -nodes for not prompting for password (private key will not be encrypted)
If you want the password to be encrypted generate the rsakey using genrsa command with -passout option and use this key to generate the certificate
While signing certificate requests using ca command use -batch option (In this mode no questions will be asked and all certificates will be certified automatically)
Try using the following script.
######################################################################
ssl_dir="usr/local/openssl"
Try using the following script.
######################################################################
ssl_dir="usr/local/openssl"
if [ ! d $ssl_dir ]
then
echo "OpenSSL not installed in $ssl_dir"
exit 1
fi
then
echo "OpenSSL not installed in $ssl_dir"
exit 1
fi
cd $ssl_dir
#############
#Set up the CA
#############
#############
#Set up the CA
#############
echo "Create a self signed certificate for the CA"
openssl req -x509 -out $ssl_dir/bin/cacert.pem -new -keyout $ssl_dir/bin/cakey.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=prakash -nodes
openssl req -x509 -out $ssl_dir/bin/cacert.pem -new -keyout $ssl_dir/bin/cakey.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=prakash -nodes
echo "Set us the CA using the CA.pl script"
echo "$ssl_dir/bin/cacert.pem" | $ssl_dir/misc/CA.pl -newca
echo "$ssl_dir/bin/cacert.pem" | $ssl_dir/misc/CA.pl -newca
echo "Copy the CA private key to the private directory"
cp $ssl_dir/bin/cakey.pem $ssl_dir/demoCA/private/
cp $ssl_dir/bin/cakey.pem $ssl_dir/demoCA/private/
###########################
#Generete Number of Requests
###########################
#Generete Number of Requests
###########################
echo "Create certificate request for user 1..\n"
openssl req -out cert_req_user1.pem -new -keyout priv_key_user1.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user1 -nodes
openssl req -out cert_req_user1.pem -new -keyout priv_key_user1.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user1 -nodes
echo "Create certificate request for user 2..\n"
openssl req -out cert_req_user2.pem -new -keyout priv_key_user2.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user2 -nodes
openssl req -out cert_req_user2.pem -new -keyout priv_key_user2.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user2 -nodes
#############################
#Issue Certificate
#############################
echo "Issue Certificate for the first user"
openssl ca -in cert_req_user1.pem -batch
#Issue Certificate
#############################
echo "Issue Certificate for the first user"
openssl ca -in cert_req_user1.pem -batch
echo "Issue Certificate for the secon user"
openssl ca -in cert_req_user2.pem -batch
openssl ca -in cert_req_user2.pem -batch
######################################################################
regards,
Prakash
Brian DeGeeter <[EMAIL PROTECTED]> wrote:
You need to set the cnf so it won't prompt.
Here's a little excerpt from a shell script:
cat <<@eof >$CONFFILE
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = WA
L = Yadda
O = Yadda
OU = Chain One
CN = chain-one.dig.net
emailAddress = [EMAIL PROTECTED]
[extend] # openssl extensions
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always
#basicConstraints = critical,CA:true
#keyUsage = keyCertSign,cRLSign
#nsCertType = sslCA,emailCA,objCA
#certificatePolicies = ia5org,@policy
[policy]
@eof
echo 01 >$SNUMFILE
$OPENSSL req -config $CONFFILE \
-newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \
-CAserial $SNUMFILE -days 364 -passin pass:yadda \
-CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Brian
Sent: Tuesday, 23 August, 2005 1:00 PM
To: openssl-users@openssl.org
Subject: RE: Automation question
In reply to you both, the PHP part I got down..that's not the problem.
It's what to tell openssl to do. I'm trying now to make a cnf file to
make a CA without prompting, then to make a certificate req and sign it
without prompting...at least now I know I'm in the right direction.
Thanks!
--Brian
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas J. Hruska
Sent: Tuesday, August 23, 2005 15:59
To: openssl-users@openssl.org
Subject: Re: Automation question
Oliver Leitner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> McCann, Brian wrote:
> | Hi all...I'm new to the list and for the most part OpenSSL as
well...so
> | sorry if I use the wrong terminology. I've searched the list
archives,
> | as well as Google, and cannot figure this out. I'm trying to create
a
> | CA certificate, as well as certificates for users using a script
(called
> | from a web browser). For the life of me, I cannot figure out how to
> | send the "openssl req" and "openssl ca" command the answers to the
> | questions it needs (O,OU,State,etc) through a text file or std
in...I'm
> | sure this is possible...I just can't find how! Any help would be
> | greatly appreciated!
> |
> | Thanks,
> | --Brian McCann
> |
> |
> |
______________________________________________________________________
> | OpenSSL Project
http://www.openssl.org
> | User Support Mailing List
openssl-users@openssl.org
> | Automated List Manager
[EMAIL PROTECTED]
> |
> |
>
> you could use the system(); command from php for one, on the other
hand,
> you may want to try to run some background cgi....
>
> theres plenty of ways to call commands from a webpage...
>
> Greetings
> Oliver
That didn't answer the OP's question. You should specify what platform
you are working under. Under Windows, using stdin to fill in the fields
is difficult (if not impossible) because the password field does not use
stdin but rather the Console APIs.
Personally, I think there should be a command-line option to define
those fields in a URL-encoded format. That would go a long way to
eliminating the .cnf files, which, under Windows, are considered to be a
special file type such that they can't be opened in notepad very easily.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
D
o You
Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
