Re: Automating Openssl commands
Thank you for the hint it is worth thinking about another approach but I think I am through (and tested) with all but the last line that is: openssl ca -in server.csr -out server.crt -config openssl.conf -passin pass:password and the only problem sees to be that The commonName field needed to be supplied and was missing And I do not see any error in the declaration of openssl.conf -willi moser Hi, I thought that you want to automate all the commands without any interactions via terminal. How about using the prompt no command? See req manual in detail. -Kiyoshi Kiyoshi Watanabe I want to automate keygen but I am getting the following error on openssl ca # The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New Jersey' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'acme' organizationalUnitName:PRINTABLE:'acme' The commonName field needed to be supplied and was missing # I tried it with supplied and match and buried myself in docs, man's and tests for days - without a clue.Thank you for your help in advance. willi moser, vienna Is there a way to write an easier openssl.conf like this? organizationName = acme organizationalUnitName = Marketing emailAddress = [EMAIL PROTECTED] emailAddress_max = 40 localityName = New York stateOrProvinceName = New Jersey countryName = US countryName_min = 2 countryName_max = 2 commonName = www.acme.com commonName_max = 64 # #!/bin/sh openssl genrsa -out ca.private.key 1024 openssl req -new -x509 -days 3650 -key ca.private.key -out ca.crt -config ssl_csr.conf -passin pass:passwordopenssl x509 -in ca.crt -out iecert.crt -outform DER openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr -config ssl_csr.conf -passin pass:passwordmkdir -p demoCA/private cp ca.private.key demoCA/private/cakey.pem cp ca.crt demoCA/cacert.pem mkdir demoCA/newcerts touch demoCA/index.txt echo 01 demoCA/serial # WE ARE HERE THE ABOVE WAS PASSED - OK --- openssl ca -in server.csr -out server.crt -config openssl.conf -passin pass:password# this is the openssl.conf # dir = /etc/solver-www/ssl/demoCA [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir= $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 3650 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys #default_keyfile = key.pem # Name of generated key default_keyfile = server.key# Name of generated key default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable nameprompt string #-- organizationName = acme organizationalUnitName = Marketing emailAddress = [EMAIL PROTECTED] emailAddress_max = 40 localityName = New York stateOrProvinceName = New Jersey countryName = US countryName_min = 2 countryName_max = 2 commonName = www.acme.com commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #- -- organizationName_default = acme localityName_default = New York stateOrProvinceName_default =
Re: Automating Openssl commands
On Mon, Aug 11, 2003, [EMAIL PROTECTED] wrote: Thank you for the hint it is worth thinking about another approach but I think I am through (and tested) with all but the last line that is: openssl ca -in server.csr -out server.crt -config openssl.conf -passin pass:password and the only problem sees to be that The commonName field needed to be supplied and was missing And I do not see any error in the declaration of openssl.conf Your openssl.cnf file is saying that it is a fatal error if the request does not contain the commonName field and the request you are trying to sign doesn't include commonName. Either edit openssl.cnf if that isn't what you want or makes sure he request includes commonName. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) Enter PEM pass phrase: (2) Sign the certificate? (3) commit? Thanks. Hon Luen F:\openssl_testopenssl ca -policy policy_anything -out test_cert.pem -config test.conf -infiles test_new.pem Using configuration from test.conf Loading 'screen' into random state - done Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'AU' stateOrProvinceName :PRINTABLE:'AU' localityName :PRINTABLE:'AU' organizationName :PRINTABLE:'TEST' organizationalUnitName:PRINTABLE:'TEST' commonName:PRINTABLE:'192.168.168.222' Certificate is to be certified until Jun 5 08:25:47 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - Original Message - From: Michael Czapski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:53 AM Subject: RE: Automating Openssl commands You could try something like: echo [ req ] abc\abc_csr.conf echo distinguished_name=req_distinguished_name abc\abc_csr.conf echo req_extensions = v3_req abc\abc_csr.conf echo prompt=no abc\abc_csr.conf echo [ req_distinguished_name ] abc\abc_csr.conf echo C=AU abc\abc_csr.conf echo ST=New South Wales abc\abc_csr.conf echo L=Sydney abc\abc_csr.conf echo O=Doddgy Brothers Very Limited abc\abc_csr.conf echo OU=Security Division abc\abc_csr.conf echo [EMAIL PROTECTED] abc\abc_csr.conf echo [EMAIL PROTECTED] abc\abc_csr.conf echo [ v3_req ] abc\abc_csr.conf echo basicConstraints = critical,CA:FALSE abc\abc_csr.conf echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement abc\abc_csr.conf echo extendedKeyUsage=emailProtection,clientAuth abc\abc_csr.conf .\bin\openssl req -outform PEM -out abc\abc.pem.csr -key abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config abc\abc_csr.conf -passin pass:somepassphrase Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kwan Hon Luen Sent: Tuesday, June 03, 2003 5:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Automating Openssl commands Hi , Thanks. How do I automate the creation of certificate as well by supplying the following attributes? countryName stateOrProvinceName localityName organizationName organizationalUnitName commonName Thanks. Hon Luen - Original Message - From: Marcus Carey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 3:23 PM Subject: Re: Automating Openssl commands Under the request section in the openssl.cnf file add the password parameters. [req] input_password = output_password = Marcus - Original Message - From: Kwan Hon Luen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:07 PM Subject: Automating Openssl commands Hi , I am currently using Openssl to generate CA and server/client key certs. Right now, the Openssl prompt me for password when generating CA key/cert: openssl req -new -x509 -days 3650 -keyout cakey.pem -out trusted_ca_cert.pem -config openssl.cnf (1) Is there a way to use the password as a parameter so that I can create the CA key/cert with just one command, without any password prompting? The command below is for generating client/server key/cert. It prompt me for password, the CN, etc. openssl req -new -keyout test_key.pem -out test_request.pem -config openssl.cnf (2) Is there a way to use the password, CN,etc as parameters so that I can create the CA key/cert with just one command, without any password, CN, etc prompting? The command below is for certifying the client/server cert using the CA. It prompt me to approve the certifying. openssl ca -policy policy_anything -out test_cert.pem -config openssl.cnf -infiles test_new.pem (3) Is there a way to use parameter such that the command will not prompt me to confirm certifying the certificate? Thanks. Hon Luen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003 __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: Automating Openssl commands
On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) Enter PEM pass phrase: (2) Sign the certificate? (3) commit? Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) Enter PEM pass phrase: (2) Sign the certificate? (3) commit? Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. but this way you don't keep the index.txt file the all valid certificates generated, so it seems there's no way to automate the process by using the 'ca' utility, am I right? Thanks Pablo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Fri, Jun 06, 2003, pablo neira wrote: Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) Enter PEM pass phrase: (2) Sign the certificate? (3) commit? Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. but this way you don't keep the index.txt file the all valid certificates generated, so it seems there's no way to automate the process by using the 'ca' utility, am I right? Well if you need 'ca' you can try the -batch option. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Steve, the other reason I've been forced to move from x509 to ca is that ca appears to be the ONLY binary program that can sign SPKAC files. Is there another way to do this that I have missed? Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, pablo neira wrote: Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) Enter PEM pass phrase: (2) Sign the certificate? (3) commit? Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. but this way you don't keep the index.txt file the all valid certificates generated, so it seems there's no way to automate the process by using the 'ca' utility, am I right? Well if you need 'ca' you can try the -batch option. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Fri, Jun 06, 2003, Charles B Cranston wrote: Steve, the other reason I've been forced to move from x509 to ca is that ca appears to be the ONLY binary program that can sign SPKAC files. Is there another way to do this that I have missed? Well if you need SPKAC support then yes currently you also need to use 'ca'. Similarly if you need to generate CRLs. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Hi, I'm developing a CA which automates this stuff that you need, maybe it could help you (http://cultura.eii.us.es/~pablo/elyca/), it's free software and still an early release but if you only need to do generate certs for your servers I suppose it's enough for you. There's also similar free-software outthere (have a look at freshmeat). Pablo Kwan Hon Luen wrote: Hi , I am currently using Openssl to generate CA and server/client key certs. Right now, the Openssl prompt me for password when generating CA key/cert: openssl req -new -x509 -days 3650 -keyout cakey.pem -out trusted_ca_cert.pem -config openssl.cnf (1) Is there a way to use the password as a parameter so that I can create the CA key/cert with just one command, without any password prompting? The command below is for generating client/server key/cert. It prompt me for password, the CN, etc. openssl req -new -keyout test_key.pem -out test_request.pem -config openssl.cnf (2) Is there a way to use the password, CN,etc as parameters so that I can create the CA key/cert with just one command, without any password, CN, etc prompting? The command below is for certifying the client/server cert using the CA. It prompt me to approve the certifying. openssl ca -policy policy_anything -out test_cert.pem -config openssl.cnf -infiles test_new.pem (3) Is there a way to use parameter such that the command will not prompt me to confirm certifying the certificate? Thanks. Hon Luen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Automating Openssl commands
You could try something like: echo [ req ] abc\abc_csr.conf echo distinguished_name=req_distinguished_name abc\abc_csr.conf echo req_extensions = v3_req abc\abc_csr.conf echo prompt=no abc\abc_csr.conf echo [ req_distinguished_name ] abc\abc_csr.conf echo C=AU abc\abc_csr.conf echo ST=New South Wales abc\abc_csr.conf echo L=Sydney abc\abc_csr.conf echo O=Doddgy Brothers Very Limited abc\abc_csr.conf echo OU=Security Division abc\abc_csr.conf echo [EMAIL PROTECTED] abc\abc_csr.conf echo [EMAIL PROTECTED] abc\abc_csr.conf echo [ v3_req ] abc\abc_csr.conf echo basicConstraints = critical,CA:FALSE abc\abc_csr.conf echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement abc\abc_csr.conf echo extendedKeyUsage=emailProtection,clientAuth abc\abc_csr.conf .\bin\openssl req -outform PEM -out abc\abc.pem.csr -key abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config abc\abc_csr.conf -passin pass:somepassphrase Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kwan Hon Luen Sent: Tuesday, June 03, 2003 5:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject:Re: Automating Openssl commands Hi , Thanks. How do I automate the creation of certificate as well by supplying the following attributes? countryName stateOrProvinceName localityName organizationName organizationalUnitName commonName Thanks. Hon Luen - Original Message - From: Marcus Carey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 3:23 PM Subject: Re: Automating Openssl commands Under the request section in the openssl.cnf file add the password parameters. [req] input_password = output_password = Marcus - Original Message - From: Kwan Hon Luen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:07 PM Subject: Automating Openssl commands Hi , I am currently using Openssl to generate CA and server/client key certs. Right now, the Openssl prompt me for password when generating CA key/cert: openssl req -new -x509 -days 3650 -keyout cakey.pem -out trusted_ca_cert.pem -config openssl.cnf (1) Is there a way to use the password as a parameter so that I can create the CA key/cert with just one command, without any password prompting? The command below is for generating client/server key/cert. It prompt me for password, the CN, etc. openssl req -new -keyout test_key.pem -out test_request.pem -config openssl.cnf (2) Is there a way to use the password, CN,etc as parameters so that I can create the CA key/cert with just one command, without any password, CN, etc prompting? The command below is for certifying the client/server cert using the CA. It prompt me to approve the certifying. openssl ca -policy policy_anything -out test_cert.pem -config openssl.cnf -infiles test_new.pem (3) Is there a way to use parameter such that the command will not prompt me to confirm certifying the certificate? Thanks. Hon Luen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Automating Openssl commands
Hi , I am currently using Openssl to generate CA and server/client key certs. Right now, the Openssl prompt me for password when generating CA key/cert: openssl req -new -x509 -days 3650 -keyout cakey.pem -out trusted_ca_cert.pem -config openssl.cnf (1) Is there a way to use the password as a parameter so that I can create the CA key/cert with just one command, without any password prompting? The command below is for generating client/server key/cert. It prompt me for password, the CN, etc. openssl req -new -keyout test_key.pem -out test_request.pem -config openssl.cnf (2) Is there a way to use the password, CN,etc as parameters so that I can create the CA key/cert with just one command, without any password, CN, etc prompting? The command below is for certifying the client/server cert using the CA. It prompt me to approve the certifying. openssl ca -policy policy_anything -out test_cert.pem -config openssl.cnf -infiles test_new.pem (3) Is there a way to use parameter such that the command will not prompt me to confirm certifying the certificate? Thanks. Hon Luen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]