Re: Automating Openssl commands

[wilhelm.moser]

Thank you for the hint it is worth thinking about another approach but I
think I am through (and tested) with all but the last line that is:
openssl ca -in server.csr -out server.crt -config openssl.conf -passin
pass:password
and the only problem sees to be that The commonName field needed to be
supplied and was missing
And I do not see any error in the declaration of openssl.conf

-willi moser


 Hi,

 I thought that you want to automate all the commands without any
 interactions via terminal. How about using the prompt no command?  See
 req manual in detail.

 -Kiyoshi
 Kiyoshi Watanabe


 I want to automate keygen but I am getting the following error on
 openssl ca

 # 
 The Subjects Distinguished Name is as follows
 countryName   :PRINTABLE:'US'
 stateOrProvinceName   :PRINTABLE:'New Jersey'
 localityName  :PRINTABLE:'New York'
 organizationName  :PRINTABLE:'acme'
 organizationalUnitName:PRINTABLE:'acme'
 The commonName field needed to be supplied and was missing
 # 

 I tried it with supplied and match and buried myself in docs, man's
 and tests for days - without a clue.Thank you for your help in
 advance.


 willi moser, vienna


 Is there a way to write an easier openssl.conf like this?

 organizationName = acme
 organizationalUnitName   = Marketing
 emailAddress = [EMAIL PROTECTED]
 emailAddress_max = 40
 localityName = New York
 stateOrProvinceName  = New Jersey
 countryName  = US
 countryName_min  = 2
 countryName_max  = 2
 commonName   = www.acme.com
 commonName_max   = 64





 # 
 #!/bin/sh

 openssl genrsa -out ca.private.key 1024
 openssl req -new -x509 -days 3650 -key ca.private.key -out ca.crt
 -config ssl_csr.conf -passin pass:passwordopenssl x509 -in ca.crt -out
 iecert.crt -outform DER openssl genrsa -out server.key 1024
 openssl req -new -key server.key -out server.csr -config ssl_csr.conf
 -passin pass:passwordmkdir -p demoCA/private
 cp ca.private.key demoCA/private/cakey.pem
 cp ca.crt demoCA/cacert.pem
 mkdir demoCA/newcerts
 touch demoCA/index.txt
 echo 01  demoCA/serial
 # WE ARE HERE THE ABOVE WAS PASSED - OK
 --- openssl ca -in server.csr -out server.crt -config openssl.conf
 -passin pass:password# 

 this is the openssl.conf

 # 
 dir  = /etc/solver-www/ssl/demoCA

 [ ca ]
 default_ca   = CA_default

 [ CA_default ]
 serial   = $dir/serial
 database = $dir/index.txt
 new_certs_dir= $dir/newcerts
 certificate  = $dir/cacert.pem
 private_key  = $dir/private/cakey.pem
 default_days = 3650
 default_md   = md5
 preserve = no
 email_in_dn  = no
 nameopt  = default_ca
 certopt  = default_ca
 policy   = policy_match

 [ policy_match ]
 countryName  = match
 stateOrProvinceName  = match
 organizationName = match
 organizationalUnitName   = match
 commonName   = supplied
 emailAddress = optional

 [ req ]
 default_bits = 1024  # Size of keys
 #default_keyfile = key.pem   # Name of generated key
 default_keyfile  = server.key# Name of generated key
 default_md   = md5   # message digest algorithm
 string_mask  = nombstr   # permitted characters
 distinguished_name   = req_distinguished_name
 req_extensions   = v3_req

 [ req_distinguished_name ]
 # Variable nameprompt string
 #-- 
 organizationName   = acme
 organizationalUnitName   = Marketing
 emailAddress = [EMAIL PROTECTED]
 emailAddress_max = 40
 localityName = New York
 stateOrProvinceName  = New Jersey
 countryName  = US
 countryName_min  = 2
 countryName_max  = 2
 commonName   = www.acme.com
 commonName_max   = 64

 # Default values for the above, for consistency and less typing. #
 Variable name  Value
 #-
 -- organizationName_default
  = acme
 localityName_default = New York
 stateOrProvinceName_default  = 

Re: Automating Openssl commands

[Dr. Stephen Henson]

On Mon, Aug 11, 2003, [EMAIL PROTECTED] wrote:

 Thank you for the hint it is worth thinking about another approach but I
 think I am through (and tested) with all but the last line that is:
 openssl ca -in server.csr -out server.crt -config openssl.conf -passin
 pass:password
 and the only problem sees to be that The commonName field needed to be
 supplied and was missing
 And I do not see any error in the declaration of openssl.conf
 
Your openssl.cnf file is saying that it is a fatal error if the request does
not contain the commonName field and the request you are trying to sign
doesn't include commonName.

Either edit openssl.cnf if that isn't what you want or makes sure he request
includes commonName.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[Kwan Hon Luen]

Hi,

How do I automate the signing of server certificate by a CA ?
without the following prompt:

(1) Enter PEM pass phrase:
(2) Sign the certificate?
(3) commit?

Thanks.
Hon Luen


F:\openssl_testopenssl ca -policy policy_anything -out
test_cert.pem -config test.conf -infiles test_new.pem
Using configuration from test.conf
Loading 'screen' into random state - done
Enter PEM pass phrase: 
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName   :PRINTABLE:'AU'
stateOrProvinceName   :PRINTABLE:'AU'
localityName  :PRINTABLE:'AU'
organizationName  :PRINTABLE:'TEST'
organizationalUnitName:PRINTABLE:'TEST'
commonName:PRINTABLE:'192.168.168.222'
Certificate is to be certified until Jun  5 08:25:47 2004 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated




- Original Message - 
From: Michael Czapski [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 4:53 AM
Subject: RE: Automating Openssl commands


 You could try something like:

 echo [ req ]  abc\abc_csr.conf
 echo distinguished_name=req_distinguished_name  abc\abc_csr.conf
 echo req_extensions = v3_req   abc\abc_csr.conf
 echo prompt=no  abc\abc_csr.conf
 echo [ req_distinguished_name ]  abc\abc_csr.conf
 echo C=AU  abc\abc_csr.conf
 echo ST=New South Wales  abc\abc_csr.conf
 echo L=Sydney  abc\abc_csr.conf
 echo O=Doddgy Brothers Very Limited   abc\abc_csr.conf
 echo OU=Security Division  abc\abc_csr.conf
 echo [EMAIL PROTECTED]  abc\abc_csr.conf
 echo [EMAIL PROTECTED]  abc\abc_csr.conf
 echo [ v3_req ]  abc\abc_csr.conf
 echo basicConstraints = critical,CA:FALSE  abc\abc_csr.conf
 echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
 dataEncipherment, keyAgreement  abc\abc_csr.conf
 echo extendedKeyUsage=emailProtection,clientAuth  abc\abc_csr.conf

 .\bin\openssl req -outform PEM -out abc\abc.pem.csr -key
 abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config
 abc\abc_csr.conf -passin pass:somepassphrase

 Cheers


  -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]  On Behalf Of Kwan Hon Luen
 Sent: Tuesday, June 03, 2003 5:31 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: Automating Openssl commands

 Hi ,

 Thanks.

 How do I automate the creation of certificate as well by supplying the
 following attributes?

 countryName
 stateOrProvinceName
 localityName
 organizationName
 organizationalUnitName
 commonName

 Thanks.

 Hon Luen



 - Original Message -
 From: Marcus Carey [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, June 03, 2003 3:23 PM
 Subject: Re: Automating Openssl commands


  Under the request section in the openssl.cnf file add the password
  parameters.
 
  [req]
  input_password =
  output_password =
 
  Marcus
 
  - Original Message -
  From: Kwan Hon Luen [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Monday, June 02, 2003 7:07 PM
  Subject: Automating Openssl commands
 
 
   Hi ,
  
   I am currently using Openssl to generate CA and server/client key
certs.
  
   Right now, the Openssl prompt me for password when generating CA
 key/cert:
  
   openssl req -new -x509 -days 3650 -keyout cakey.pem -out
   trusted_ca_cert.pem -config openssl.cnf
  
   (1) Is there a way to use the password as a parameter so that I can
 create
   the CA key/cert with just one command, without any password prompting?
  
   The command below is for generating client/server key/cert. It prompt
me
  for
   password, the CN, etc.
  
   openssl req -new -keyout test_key.pem -out test_request.pem -config
   openssl.cnf
  
   (2) Is there a way to use the password, CN,etc as parameters so that I
 can
   create the CA key/cert with just one command, without any password,
CN,
  etc
   prompting?
  
   The command below is for certifying the client/server cert using the
CA.
  It
   prompt me to approve the certifying.
  
   openssl ca -policy policy_anything -out test_cert.pem -config
   openssl.cnf -infiles test_new.pem
  
   (3) Is there a way to use parameter such that the command will not
 prompt
  me
   to confirm certifying the certificate?
  
   Thanks.
  
   Hon Luen
  
   __
   OpenSSL Project http://www.openssl.org
   User Support Mailing List[EMAIL PROTECTED]
   Automated List Manager   [EMAIL PROTECTED]
 
 
  ---
  Outgoing mail is certified Virus Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003
 
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List

Re: Automating Openssl commands

[Dr. Stephen Henson]

On Fri, Jun 06, 2003, Kwan Hon Luen wrote:

 Hi,
 
 How do I automate the signing of server certificate by a CA ?
 without the following prompt:
 
 (1) Enter PEM pass phrase:
 (2) Sign the certificate?
 (3) commit?
 

Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[pablo neira]

Dr. Stephen Henson wrote:

On Fri, Jun 06, 2003, Kwan Hon Luen wrote:

 

Hi,

How do I automate the signing of server certificate by a CA ?
without the following prompt:
(1) Enter PEM pass phrase:
(2) Sign the certificate?
(3) commit?
   

Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.
but this way you don't keep the index.txt file the all valid 
certificates generated, so it seems there's no way to automate the 
process by using the 'ca' utility, am I right?

Thanks
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[Dr. Stephen Henson]

On Fri, Jun 06, 2003, pablo neira wrote:

 Dr. Stephen Henson wrote:
 
 On Fri, Jun 06, 2003, Kwan Hon Luen wrote:
 
  
 
 Hi,
 
 How do I automate the signing of server certificate by a CA ?
 without the following prompt:
 
 (1) Enter PEM pass phrase:
 (2) Sign the certificate?
 (3) commit?
 

 
 
 Use the 'x509' utility instead, passphrase can be entered via -passin there
 are no other prompts.
 
 
 but this way you don't keep the index.txt file the all valid 
 certificates generated, so it seems there's no way to automate the 
 process by using the 'ca' utility, am I right?
 

Well if you need 'ca' you can try the -batch option.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[Charles B Cranston]

Steve, the other reason I've been forced to move from x509 to ca
is that ca appears to be the ONLY binary program that can sign
SPKAC files.  Is there another way to do this that I have missed?
Dr. Stephen Henson wrote:
On Fri, Jun 06, 2003, pablo neira wrote:


Dr. Stephen Henson wrote:


On Fri, Jun 06, 2003, Kwan Hon Luen wrote:




Hi,

How do I automate the signing of server certificate by a CA ?
without the following prompt:
(1) Enter PEM pass phrase:
(2) Sign the certificate?
(3) commit?
 

Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.
but this way you don't keep the index.txt file the all valid 
certificates generated, so it seems there's no way to automate the 
process by using the 'ca' utility, am I right?



Well if you need 'ca' you can try the -batch option.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[Dr. Stephen Henson]

On Fri, Jun 06, 2003, Charles B Cranston wrote:

 Steve, the other reason I've been forced to move from x509 to ca
 is that ca appears to be the ONLY binary program that can sign
 SPKAC files.  Is there another way to do this that I have missed?
 

Well if you need SPKAC support then yes currently you also need to use 'ca'.
Similarly if you need to generate CRLs.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[pablo]

Hi,

I'm developing a CA which automates this stuff that you need, maybe it 
could help you (http://cultura.eii.us.es/~pablo/elyca/), it's free 
software and still an early release but if you only need to do generate 
certs for your servers I suppose it's enough for you. There's also 
similar free-software outthere (have a look at freshmeat).

Pablo

Kwan Hon Luen wrote:

Hi ,

I am currently using Openssl to generate CA and server/client key certs.

Right now, the Openssl prompt me for password when generating CA key/cert:

openssl req -new -x509 -days 3650 -keyout cakey.pem -out
trusted_ca_cert.pem -config openssl.cnf
(1) Is there a way to use the password as a parameter so that I can create
the CA key/cert with just one command, without any password prompting?
The command below is for generating client/server key/cert. It prompt me for
password, the CN, etc.
openssl req -new -keyout test_key.pem -out test_request.pem -config
openssl.cnf
(2) Is there a way to use the password, CN,etc as parameters so that I can
create the CA key/cert with just one command, without any password, CN, etc
prompting?
The command below is for certifying the client/server cert using the CA. It
prompt me to approve the certifying.
openssl ca -policy policy_anything -out test_cert.pem -config
openssl.cnf -infiles test_new.pem
(3) Is there a way to use parameter such that the command will not prompt me
to confirm certifying the certificate?
Thanks.

Hon Luen

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Automating Openssl commands

[Michael Czapski]

You could try something like:

echo [ req ]  abc\abc_csr.conf
echo distinguished_name=req_distinguished_name  abc\abc_csr.conf
echo req_extensions = v3_req   abc\abc_csr.conf
echo prompt=no  abc\abc_csr.conf
echo [ req_distinguished_name ]  abc\abc_csr.conf
echo C=AU  abc\abc_csr.conf
echo ST=New South Wales  abc\abc_csr.conf
echo L=Sydney  abc\abc_csr.conf
echo O=Doddgy Brothers Very Limited   abc\abc_csr.conf
echo OU=Security Division  abc\abc_csr.conf
echo [EMAIL PROTECTED]  abc\abc_csr.conf
echo [EMAIL PROTECTED]  abc\abc_csr.conf
echo [ v3_req ]  abc\abc_csr.conf
echo basicConstraints = critical,CA:FALSE  abc\abc_csr.conf
echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment, keyAgreement  abc\abc_csr.conf
echo extendedKeyUsage=emailProtection,clientAuth  abc\abc_csr.conf

.\bin\openssl req -outform PEM -out abc\abc.pem.csr -key
abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config
abc\abc_csr.conf -passin pass:somepassphrase

Cheers


 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Kwan Hon Luen
Sent:   Tuesday, June 03, 2003 5:31 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject:Re: Automating Openssl commands

Hi ,

Thanks.

How do I automate the creation of certificate as well by supplying the
following attributes?

countryName
stateOrProvinceName
localityName
organizationName
organizationalUnitName
commonName

Thanks.

Hon Luen



- Original Message -
From: Marcus Carey [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 03, 2003 3:23 PM
Subject: Re: Automating Openssl commands


 Under the request section in the openssl.cnf file add the password
 parameters.

 [req]
 input_password =
 output_password =

 Marcus

 - Original Message -
 From: Kwan Hon Luen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, June 02, 2003 7:07 PM
 Subject: Automating Openssl commands


  Hi ,
 
  I am currently using Openssl to generate CA and server/client key certs.
 
  Right now, the Openssl prompt me for password when generating CA
key/cert:
 
  openssl req -new -x509 -days 3650 -keyout cakey.pem -out
  trusted_ca_cert.pem -config openssl.cnf
 
  (1) Is there a way to use the password as a parameter so that I can
create
  the CA key/cert with just one command, without any password prompting?
 
  The command below is for generating client/server key/cert. It prompt me
 for
  password, the CN, etc.
 
  openssl req -new -keyout test_key.pem -out test_request.pem -config
  openssl.cnf
 
  (2) Is there a way to use the password, CN,etc as parameters so that I
can
  create the CA key/cert with just one command, without any password, CN,
 etc
  prompting?
 
  The command below is for certifying the client/server cert using the CA.
 It
  prompt me to approve the certifying.
 
  openssl ca -policy policy_anything -out test_cert.pem -config
  openssl.cnf -infiles test_new.pem
 
  (3) Is there a way to use parameter such that the command will not
prompt
 me
  to confirm certifying the certificate?
 
  Thanks.
 
  Hon Luen
 
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List[EMAIL PROTECTED]
  Automated List Manager   [EMAIL PROTECTED]


 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.486 / Virus Database: 284 - Release Date: 5/30/2003

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]