Andreas Schuldei wrote:
>
> I am not on this list, please cc: me.
>
> I try to generate several certivicates automatically. I avoid typing in the
> info for the Certificate Request by a trick i found in the archives.
>
> This is a part of my shell script:
>
> ###################################################
>
> (cat << EOF
> [ req ]
> default_bits = 2048
> distinguished_name = req_DN
>
> [ req_DN ]
> countryName = "Country Name"
> countryName_value = $ENV::CERT_COUNTRY
> localityName = "Locality Name"
> localityName_value = $ENV::CERT_LOCALITY
> organizationName = "Organisation"
> organizationName_value = $ENV::CERT_ORG
> commonName = "Common Name"
> commonName_value = $ENV::CERT_CN
>
> [ x509v3 ]
> subjectAltName = "me@work"
> subjectAltName_value = $ENV::CERT_EMAIL
> EOF
> )> local_openssl.conf
>
> # key and cert for the CA
>
> export CERT_COUNTRY="se"
> export CERT_LOCALITY="a" #"${NAME[0]}"
> export CERT_ORG="b" #Frontyard
> export CERT_CN="q" #"${IP[0]}"
> export CERT_EMAIL="c" #"[EMAIL PROTECTED]"
>
> openssl genrsa -out /etc/ssl/private/ca.key 128
> openssl req -new -key /etc/ssl/private/ca.key \
> -out /etc/ssl/private/ca.csr -config local_openssl.conf
> openssl x509 -req -days 31 -in /etc/ssl/private/ca.csr \
> -signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
>
> ###########################################################
>
> This generats this output on my xterm:
>
> ./mkconf.sh
> warning, not much extra random data, consider using the -rand option
> Generating RSA private key, 128 bit long modulus
> ..+++++++++++++++++++++++++++
> ...+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> Using configuration from local_openssl.conf
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name []:::CERT_COUNTRY
> problems making Certificate Request
> 3947:error:0D11A0A3:asn1 encoding routines:ASN1_mbstring_copy:string too
>long:a_mbstr.c:154:maxsize=2
> /etc/ssl/private/ca.csr: No such file or directory
> mkdir: cannot create directory `schuldei': File exists
>
> and nothing but my local key was generated.
>
> What is the problem?
>
The problem is that the shell is attempting to expand $ENV with the
result show that you end up with ::CERT_COUNTRY in the config file.
You should escape it appropriately.
However there is now a better way to do this kind of thing. Check out
the req manual page and the examples.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
