> Please if there is some possibility of noninteractive creating I would
> like to know it. The problem is that openssl req -in wants some request
I've done some sh scripts that do programatic input to req. The full
text of the script is appended at the bottom, but the basic trick is
to use a conf file with prompt=no and then use $ substitution to put
the right things in. Like this:
...
# openssl req
[req]
prompt = no
distinguished_name = UMCP_SSLS_DN
# DN fields for SSL Server cert
[UMCP_SSLS_DN]
C = US
ST = Maryland
O = UMCP/OIT/TSS/EIS
CN = $CERTHOST
emailAddress = $CERTMAIL
Note how environment variables CERTHOST and CERTMAIL from the
script are edited into the information put into the request.
=====
Hope this helps, the following is a conversational script that
asks for the info and then does the non-interactive req that
you want to do:
#! /bin/sh
# Conversational version of makec: make SSL server certificate
# The higher-level certificate to sign the certificate with.
# Note: SIGNNAME is only used in echo to the user.
SIGNNAME="Key B"
SIGNKEY=keyb.pem
SIGNCERT=certb.pem
# CERTHOST - host name the cert is for foombar.umd.edu
# CERTMAIL - email address for the cert [EMAIL PROTECTED]
# CERTFILE - filename cert written to foombar.umd.edu-cert.pem
# CERTKEYF - f/n private key written to foombar.umd.edu-enckey.pem
# UNIQNAME - unique name for scratch file
# CONFFILE - OpenSSL config file we create
# RANDFILE - OpenSSL random file we create
# PIPEFILE - file to pipe from "req" to "x509"
case "$#" in
0) # No arguments - ask for host name and email
echo ""
echo "This script generates certificates for SSL servers."
echo ""
while true; do
/usr/ucb/echo -n "Internet domain and host name of the server (or ?): "
if read CERTHOST; then
case "$CERTHOST" in
"?"|"")
echo ""
echo "You are being asked for the internet host and domain name"
echo "for which the SSL server certificate is being generated."
echo "Like foombar.umd.edu or something similar."
echo "";;
*)
CERTHOST=`echo "$CERTHOST" | tr A-Z a-z`
if echo "$CERTHOST" | awk -F'.' '(2>NF){exit 1}
{for(i=1;i<=NF;i++)if($i!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1}'
then
break;
else
echo "Golly, \"$CERTHOST\" doesn't look like an internet host name."
echo "Enter ? for more information."
fi
esac
else
echo ""
echo "`basename $0`: Interaction terminated by end of file"; exit 1
fi
done
while true; do
/usr/ucb/echo -n "EMAIL address to be included in the certificate (or ?): "
if read CERTMAIL; then
case "$CERTMAIL" in
"?"|"")
echo ""
echo "You are being asked for the email address to be included in"
echo "the SSL certificate that is being generated. This will be"
echo "like [EMAIL PROTECTED] or something similar."
echo "";;
*)
CERTMAIL=`echo "$CERTMAIL" | tr A-Z a-z` # mistake to lowercase???
if echo "$CERTMAIL" | awk -F'@' '(2!=NF){exit 1}{
n=split($1,a,".")
for(i=1;i<=n;i++)if(a[i]!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1
n=split($2,a,".");if(2>n)exit 1
for(i=1;i<=n;i++)if(a[i]!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1}'
then
break
else
echo "Golly, $CERTMAIL doesn't look like an email address."
echo "Enter ? for more information."
fi
esac
else
echo ""
echo "`basename $0`: Interaction terminated by end of file"; exit 1
fi
done;;
2) # Two arguments, interpret as host and email
CERTHOST=`echo "$1" | tr A-Z a-z`
if echo "$CERTHOST" | awk -F'.' '(2>NF){exit 1}
{for(i=1;i<=NF;i++)if($i!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1}'
then :; else
echo "`basename $0`: bad host name $CERTHOST"
exit 1
fi
CERTMAIL=`echo "$2" | tr A-Z a-z`
if echo "$CERTMAIL" | awk -F'@' '(2!=NF){exit 1}{
n=split($1,a,".")
for(i=1;i<=n;i++)if(a[i]!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1
n=split($2,a,".");if(2>n)exit 1
for(i=1;i<=n;i++)if(a[i]!~/^[0-9a-z][0-9a-z-]*[0-9a-z]$/)exit 1}'
then :; else
echo "`basename $0`: bad email address $CERTMAIL"
exit 1
fi ;;
*) # Any other case is invalid
echo ""
echo "Usage: `basename $0` <hostname> <email>"
echo ""
exit 1;;
esac
# ask for confirmation
while true; do
echo "The host name for the certificate is: $CERTHOST"
echo "The email address for the certificate is: $CERTMAIL"
/usr/ucb/echo -n "Is this correct? (yn?): "
if read resp; then
resp=`echo "$resp" | tr A-Z a-z`
case "$resp" in
y|ye|yes) break;;
n|no)echo "`basename $0`: Giving up for now."; exit 1;;
"?"|h|he|hel|help)
echo ""
echo "The hostname for the certificate is the hostname for the SSL"
echo "server machine that the certificate is destined to protect,"
echo "and should be given in fully qualifed internet domain name form"
echo "(with dots). Like foombar.umd.edu or similar."
echo ""
echo "The email address is embedded in the certificate to give"
echo "relying parties a point of contact."
echo ""
echo "You are being asked to choose Yes or No."
echo "This script will not proceed until you do so."
echo "If you choose No, this script will exit"
echo "without generating a certificate."
echo "";;
*) echo "You must choose Yes or No (? for help)";;
esac
else
echo "`basename $0`: interaction terminated by end of file"; exit 1
fi
done
# Check for overwriting files
CERTFILE="$CERTHOST-cert.pem"
if /bin/test -e $CERTFILE; then
while true; do
/usr/ucb/echo -n "$CERTFILE already exists -- overwrite it? (yn?) "
if read resp; then
resp=`echo "$resp" | tr A-Z a-z`
case "$resp" in
y|ye|yes)
if rm "$CERTFILE"; then
break
else
echo "`basename $0`: could not rm $CERTFILE -- giving up."; exit 1
fi;;
n|no) echo "`basename $0`: Giving up for now."; exit 1;;
"?"|h|he|hel|help)
echo ""
echo "The filename into which the certificate is to be written:"
echo " $CERTFILE"
echo "already exists. This script can either overwrite this file"
echo "or exit without creating the certificate."
echo "";;
*) echo "You must choose Yes or No (? for help)";;
esac
else
echo "`basename $0`: interaction terminated by end of file"; exit 1
fi
done
fi
CERTKEYF="$CERTHOST-enckey.pem"
if /bin/test -e $CERTKEYF; then
while true; do
/usr/ucb/echo -n "$CERTKEYF already exists -- overwrite it? (yn?) "
if read resp; then
resp=`echo "$resp" | tr A-Z a-z`
case "$resp" in
y|ye|yes)
if rm "$CERTKEYF"; then
break
else
echo "`basename $0`: could not rm $CERTKEYF -- giving up."; exit 1
fi;;
n|no) echo "`basename $0`: Giving up for now."; exit 1;;
"?"|h||he|hel|help)
echo ""
echo "The filename into which the private key is to be written:"
echo " $CERTKEYF"
echo "already exists. This script can either overwrite this file"
echo "or exit without creating the certificate."
echo "";;
*) echo "You must choose Yes or No (? for help)";;
esac
else
echo "`basename $0`: interaction terminated by end of file"; exit 1
fi
done
fi
# OK finally generate the certificate (code from makec)
# Export the variables called in from the OpenSSL config file we make
export CERTHOST
export CERTMAIL
UNIQNAME=`basename $0`.`uname -n`.$$
# echo "$UNIQNAME"
CONFFILE=.conf.$UNIQNAME
RANDFILE=.rand.$UNIQNAME
PIPEFILE=.pipe.$UNIQNAME
export RANDFILE
trap 'rm -f $CERTFILE $CERTKEYF $CONFFILE $RANDFILE $PIPEFILE' 1 2 15
cat <<@eof >$CONFFILE
# SSL server cert/key parms
# Cert extensions
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
nsCertType = server
# openssl req
[req]
default_bits = 1024
prompt = no
distinguished_name = UMCP_SSLS_DN
# DN fields for SSL Server cert
[UMCP_SSLS_DN]
C = US
ST = Maryland
O = UMCP/OIT/TSS/EIS
CN = $CERTHOST
emailAddress = $CERTMAIL
@eof
(date;df)>$RANDFILE
echo "SSL Server key will be written to $CERTKEYF"
echo "SSL Server Certificate will be written to $CERTFILE"
echo "First passphrase is to protect key for $CERTHOST"
echo ""
openssl req -config $CONFFILE -newkey rsa -keyout "$CERTKEYF" -out $PIPEFILE
echo ""
echo "Next passphrase is to access $SIGNNAME for signing"
echo ""
openssl x509 -req -extfile $CONFFILE -CA "$SIGNCERT" -CAkey "$SIGNKEY" \
-days 730 -in "$PIPEFILE" -out "$CERTFILE"
rm -f $CONFFILE $RANDFILE $PIPEFILE
# End of cmake
====
Tomas Kratky wrote:
> Hi all,
> at first i'm sorry for my english :-)
> and second I need something to know - i need to create some requests and
> the only thing i have is a file with this structure:
> [ user 1 ]
> name = ...
> email = ...
> country = ...
> atd...
> so if I want to create a request I must read this file a write these
> informations when I am asked
> by openssl req ...
> Please if there is some possibility of noninteractive creating I would
> like to know it. The problem is that openssl req -in wants some request
> file in PEM or DER.
> Maybe if there is a way how wrote some script which could create request
> using existing private key (I have it by use of openssl genrsa ..) and
> these text information I would be really happy ....
> thanx a lot for help
> T.Kratky
--
Charles B. (Ben) Cranston
mailto:zben@;umd.edu
http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
