On Fri, Sep 27, 2002 at 05:42:56PM +0200, Mathieu Arnold wrote:
> I've been going through the list archive, and I can't find out how to
> script certificate creation.
> the ideal thing would be to be able to specify things like :
> openssl req -new -x509 -days 3650 -text -out cert.pem -keyout cert.pem
> -passphrase "my stupid passphrase" -country FR -state Marne -locality Reims
> -organisation "my organisation" -organisationalunit "my unit" -commonname
> "mathieu arnold" -email "[EMAIL PROTECTED]"
>
> I was wondering if something similar could be done (even using a file to
> store the informations)
Yes, write the info to a config file and pass that as -config. At least,
that's how I do it. e.g.:
open(REQCONF, ">$tmpdir/reqconf");
print REQCONF <<EOF;
[req]
distinguished_name=req_disinguished_name
attributes=req_attributes
prompt=no
[req_attributes]
[req_distinguished_name]
emailAddress=$email
EOF
for (reverse split(/, */, $dn)) {
if (/^[a-zA-Z0-9]+=./) {
print REQCONF $_;
}
}
openssl("req", "-new", "-config", "$tmpdir/reqconf", "-key", "$tmpdir/key",
"-out", "$tmpdir/req");
openssl("x509", "-req", "-extensions", "${certype}_cert", "-extfile",
"$cadir/tinyca-openssl.cnf", "-in", "$tmpdir/req", "-CA",
"$cadir/public/ca-crt.pem", "-CAkey", "$cadir/private/ca-key.pem",
"-CAserial", "$cadir/private/serial", "-text",
"-out", "$tmpdir/newcert");
HTH. Feedback appreciated. Maybe the OpenCA Perl modules would make this a
whole lot easier. Or just writing an application to replace "req" to do what
I want. Hmmm.
SRH
--
Steve Haslam Reading, UK [EMAIL PROTECTED]
Debian GNU/Linux Maintainer [EMAIL PROTECTED]
almost called it today, turned to face the void, numb with the suffering
and the question- "Why am I?" [queensr�che]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
