subject:"Re\: \[openssl\-users\] Cant seem to get prompt no to work"

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-19 Thread Robert Moskowitz




On 08/19/2017 04:00 AM, Peter Sylvester wrote:

On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:

On Thu, Aug 17, 2017, Robert Moskowitz wrote:


In the [ ca ] section I have:

prompt   = no

If I leave the = out I get an error, so I am assuming I got the
format of this right.

Then I have

[ req ]
distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName

In a terminal window I run:

export countryName=US
export stateOrProvinceName=MI

What about:

[ req_distinguished_name ]
countryName = "Country Nmae (e.g. FR)"
countryName_value = $ENV::countryName
stateOrProvinceName = "State or Province"
stateOrProvinceName_value = $ENV::stateOrProvinceName

  


And what happens when you have

stateOrProvinceName=

the length of stateOrProvinceName_value is zero.

When stateOrProvinceName was length zero, I got the error.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-19 Thread Peter Sylvester

On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:
> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>
>> In the [ ca ] section I have:
>>
>> prompt   = no
>>
>> If I leave the = out I get an error, so I am assuming I got the
>> format of this right.
>>
>> Then I have
>>
>> [ req ]
>> distinguished_name  = req_distinguished_name
>>
>> [ req_distinguished_name ]
>> countryName = $ENV::countryName
>> stateOrProvinceName = $ENV::stateOrProvinceName
>>
>> In a terminal window I run:
>>
>> export countryName=US
>> export stateOrProvinceName=MI
What about:

[ req_distinguished_name ]
countryName = "Country Nmae (e.g. FR)"
countryName_value = $ENV::countryName
stateOrProvinceName = "State or Province"
stateOrProvinceName_value = $ENV::stateOrProvinceName

 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-18 Thread Robert Moskowitz




On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote:

On Thu, Aug 17, 2017, Robert Moskowitz wrote:


In the [ ca ] section I have:

prompt   = no

If I leave the = out I get an error, so I am assuming I got the
format of this right.

Then I have

[ req ]
distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName

In a terminal window I run:

export countryName=US
export stateOrProvinceName=MI

then

openssl req -config openssl-root.cnf -key private/ca.key.pem \
   -new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem


And I am still getting prompted for the DN fields:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
US []:

What did I miss?


Since this is the req command try "prompt = no" in the req section.


Thank you, but I did get past this point.  I got prompt no working and 
the way it worked, just did not work well enough.


I threw the towel in on ENV and did get -subj $DN working...

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-18 Thread Dr. Stephen Henson

On Thu, Aug 17, 2017, Robert Moskowitz wrote:

> In the [ ca ] section I have:
> 
> prompt   = no
> 
> If I leave the = out I get an error, so I am assuming I got the
> format of this right.
> 
> Then I have
> 
> [ req ]
> distinguished_name  = req_distinguished_name
> 
> [ req_distinguished_name ]
> countryName = $ENV::countryName
> stateOrProvinceName = $ENV::stateOrProvinceName
> 
> In a terminal window I run:
> 
> export countryName=US
> export stateOrProvinceName=MI
> 
> then
> 
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>   -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.pem
> 
> 
> And I am still getting prompted for the DN fields:
> 
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -
> US []:
> 
> What did I miss?
> 

Since this is the req command try "prompt = no" in the req section.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 07:01 PM, Jakob Bohm wrote:

On 18/08/2017 00:09, Robert Moskowitz wrote:



On 08/17/2017 05:38 PM, Salz, Rich wrote:

declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU.  You should not set it and see if 
that works


organizationalUnitName = "."  puts a . in it.  So I have to figure 
out a way to drop that line from the config.


like if a field is not needed:

sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w 
/dev/stdout" openssl-root.cnf



But this is not quite right.  I have to find the one that has ENV in 
it.  I DO have an example of one such to use...




Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).


Always an option, Jakob.  I have done this in the past for my 
self-signed certs.  I am trying the config approach now.  But I may step 
back...


I AM making my CA certs.  With a SAN caviat in the root cert.

Slow progress.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Jakob Bohm


On 18/08/2017 00:09, Robert Moskowitz wrote:



On 08/17/2017 05:38 PM, Salz, Rich wrote:

declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU.  You should not set it and see if 
that works


organizationalUnitName = "."  puts a . in it.  So I have to figure out 
a way to drop that line from the config.


like if a field is not needed:

sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w 
/dev/stdout" openssl-root.cnf



But this is not quite right.  I have to find the one that has ENV in 
it.  I DO have an example of one such to use...




Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 05:38 PM, Salz, Rich wrote:

declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1

You are setting an empty OU.  You should not set it and see if that works
 

organizationalUnitName = "."  puts a . in it.  So I have to figure out a 
way to drop that line from the config.


like if a field is not needed:

sed -i -e "s/^organizationalUnitName/#organizationalUnitName/w 
/dev/stdout" openssl-root.cnf



But this is not quite right.  I have to find the one that has ENV in 
it.  I DO have an example of one such to use...



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz


ARGH!!!

On 08/17/2017 05:38 PM, Salz, Rich wrote:

declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1

You are setting an empty OU.  You should not set it and see if that works


So now I have to figure out how to handle an empty variable.  Need to 
see what will happen if the variable has a value of "." that the 
prompting takes for dropping that object...


The resultant cert does not have the SAN.  That is another thing I need 
to figure out.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Salz, Rich via openssl-users

> declare -x organizationalUnitName=""
> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
   
You are setting an empty OU.  You should not set it and see if that works 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 04:17 PM, Robert Moskowitz wrote:



On 08/17/2017 04:09 PM, Salz, Rich wrote:

Use the –batch flag to avoid all prompting


I commented out the prompt line and tried again:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
>   -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out 
certs/ca.cert.pem

Enter pass phrase for private/ca.key.pem:
error, no objects specified in config file
problems making Certificate Request

Is it not liking the use of ENV for the DN objects?  It worked for 
$ENV::dir...


export

...

declare -x adminemail="postmas...@htt-consult.com"
declare -x commonName="Root CA"
declare -x countryName="US"
declare -x dir="/root/ca"
declare -x localityName="Oak Park"
declare -x organizationName="HTT Consulting"
declare -x organizationalUnitName=""
declare -x stateOrProvinceName="MI"


[ req_distinguished_name ]
# See .
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName
localityName= $ENV::localityName
0.organizationName  = $ENV::organizationName
organizationalUnitName  = $ENV::organizationalUnitName
commonName  = $ENV::commonName


When I put the prompt = no in the beginning of the [req] section ( saw 
that on one site), I get:


problems making Certificate Request
140134179792760:error:0D07A098:asn1 encoding 
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1


Is ENV not working in [req_distinguished_name]?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 04:17 PM, Robert Moskowitz wrote:



On 08/17/2017 04:09 PM, Salz, Rich wrote:

Use the –batch flag to avoid all prompting


I commented out the prompt line and tried again:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
>   -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out 
certs/ca.cert.pem

Enter pass phrase for private/ca.key.pem:
error, no objects specified in config file
problems making Certificate Request

Is it not liking the use of ENV for the DN objects?  It worked for 
$ENV::dir...


export

...

declare -x adminemail="postmas...@htt-consult.com"
declare -x commonName="Root CA"
declare -x countryName="US"
declare -x dir="/root/ca"
declare -x localityName="Oak Park"
declare -x organizationName="HTT Consulting"
declare -x organizationalUnitName=""
declare -x stateOrProvinceName="MI"


[ req_distinguished_name ]
# See .
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName
localityName= $ENV::localityName
0.organizationName  = $ENV::organizationName
organizationalUnitName  = $ENV::organizationalUnitName
commonName  = $ENV::commonName


I don't think it is the use of $ENV, as the following in cnf got the 
same failure:


countryName = US
stateOrProvinceName = MI
localityName= "Oak Park"
0.organizationName  = "HTT Consulting"
organizationalUnitName  =
commonName  = "Root CA"

I have removed the _default entries


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 04:09 PM, Salz, Rich wrote:

Use the –batch flag to avoid all prompting


I commented out the prompt line and tried again:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
>   -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out 
certs/ca.cert.pem

Enter pass phrase for private/ca.key.pem:
error, no objects specified in config file
problems making Certificate Request

Is it not liking the use of ENV for the DN objects?  It worked for 
$ENV::dir...


export

...

declare -x adminemail="postmas...@htt-consult.com"
declare -x commonName="Root CA"
declare -x countryName="US"
declare -x dir="/root/ca"
declare -x localityName="Oak Park"
declare -x organizationName="HTT Consulting"
declare -x organizationalUnitName=""
declare -x stateOrProvinceName="MI"


[ req_distinguished_name ]
# See .
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName
localityName= $ENV::localityName
0.organizationName  = $ENV::organizationName
organizationalUnitName  = $ENV::organizationalUnitName
commonName  = $ENV::commonName


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Salz, Rich via openssl-users

Use the –batch flag to avoid all prompting

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Robert Moskowitz




On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote:

In the CA section, you have to specify which fields you need/want in the DN.  
This is the “policy” identifier which points to a section that names the RDN’s 
you want/need.


I have that:

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
# dir   = /root/ca
certs = $ENV::dir/certs
crl_dir   = $ENV::dir/crl
new_certs_dir = $ENV::dir/newcerts
database  = $ENV::dir/index.txt
serial= $ENV::dir/serial
RANDFILE  = $ENV::dir/private/.rand

# The root key and root certificate.
private_key   = $ENV::dir/private/ca.key.pem
certificate   = $ENV::dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber = $ENV::dir/crlnumber
crl   = $ENV::dir/crl/ca.crl.pem
crl_extensions= crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md= sha256

name_opt  = ca_default
cert_opt  = ca_default
default_days  = 375
preserve  = no
policy= policy_strict
prompt= no

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName  = optional
commonName  = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
distinguished_name  = req_distinguished_name
string_mask = utf8only
req_extensions  = req_ext

# SHA-1 is deprecated, so use SHA-2 instead.
default_md  = sha256

# Extension to add when the -x509 option is used.
x509_extensions = v3_ca

[ req_distinguished_name ]
# See .
countryName = $ENV::countryName
stateOrProvinceName = $ENV::stateOrProvinceName
localityName= $ENV::localityName
0.organizationName  = $ENV::organizationName
organizationalUnitName  = $ENV::organizationalUnitName
commonName  = $ENV::commonName

[ req_ext ]
subjectAltName = email:$ENV::adminemail


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

2017-08-17 Thread Salz, Rich via openssl-users

In the CA section, you have to specify which fields you need/want in the DN.  
This is the “policy” identifier which points to a section that names the RDN’s 
you want/need.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

Re: [openssl-users] Cant seem to get prompt no to work

15 matches

Site Navigation

Mail list logo

Footer information