You seem to be somewhat confused on several counts. I think there is a problem with your script, which I have written here in more readable format:
openssl req -new -keyout newreq.pem -out newreq.pem \
-passin pass:1whatever -passout pass:whatever \
-days 365Unless there's some new wrinkle to OpenSSL that handles this case, it looks very much like you are writing both the request and the private key to the same file newreq.pem Is this really correct, or will it bite you later?
Also, on some Unix systems it is possible to read the command lines of other processes, passing passwords as command line arguments is insecure under these conditions. I don't think you need passin in this case, since there is nothing encrypted to be read.
openssl ca -policy policy_anything -out newcert.pem \ > -passin pass:whatever -key whatever \
> -extensions xpclient_ext -extfile xpextensions \ > -infiles newreq.pem
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem \
> -out $1.p12 -clcerts -passin pass:whatever \ > -passout pass:whatever
openssl x509 -inform PEM -outform DER -in $1.pem \> -out $1.der
rm -rf newcert newreq.pem
When I execute this command I am asked for an challenge password. But I provided at the commands themselv a -passin pass and -passout pass. Is this the same or are this different passwords? It seems to me that the challenge password I am asked to enter during creation is not used for the certificate.
If you mean:
> Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []:G5N5B3Y3 ----- > An optional company name []:
then it is a different password. This is a password that will be placed into the request that is being generated. The idea is that it may be used to verify the identity of the requestor at a later time when the certificate is being returned to him. I don't think openssl ca does anything directly with it, though. You can control the questions being asked by openssl req by editing the openssl configuration file. By doing so you can make it stop asking this and other questions.
This is a good place to look for the file:
>> Using configuration from /usr/lib/ssl/openssl.cnf
If you cannot edit there you can always use the -config option to specify your OWN configuration file. One of the things I tend to do in scripts is to create a custom config file on the fly using cat <<@eof to do exactly what I want. I'll attach an example.
And a second question: When I import the .p12 file into Windows I am asked for a password I am asked for a Secret. Is this the challenge password?
I believe this is the transport password used to keep the pkcs12 (.p12) data secure while you are moving it around on the internet. My guess is it would be passout on the pkcs12 command but you should check the man to be sure.
Another problem is that (I think) you stomp on the private key in the req command then try to import it from the stomped name in the pkcs12 command. I think maybe you should use two files newreq.pem and newkey.pem?
Or does this actually work? Will req stack the two outputs, request and key, into the same file, then will both ca and pkcs12 know which piece of the file to use???
=====
Example of script that creates a custom OpenSSL config file on the fly:
#! /bin/sh
# Test8 is Test7 with SubjectKeyIdentifier extension added to # server cert
OPENSSL="/usr/bin/openssl" CONFFILE=conf.$$ SNUMFILE=snum.$$ CA="University of Maryland CA8"
# Generate the Root certificate
cat <<@eof >$CONFFILE [req] # openssl req params prompt = no distinguished_name = dn-param x509_extensions = extend [dn-param] # DN fields C = US O = University of Maryland CN = $CA [extend] # openssl extensions nsCertType = sslCA,emailCA,objCA subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = CA:true keyUsage = keyCertSign,cRLSign nsComment = "See http://cert.umd.edu/root for details." issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" @eof
$OPENSSL req -config $CONFFILE -x509 -newkey rsa:2048 -days 365 \
-passout pass:aaaaa -keyout root.key.pem -out root.cert.pem# Generate a server certificate from CSR in csr.pem
cat <<@eof >$CONFFILE extensions = extend [extend] # openssl extensions nsCertType = SSL Server subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = CA:false keyUsage = Key Encipherment extendedKeyUsage = serverAuth, clientAuth nsComment = "See http://cert.umd.edu/server for details." issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectAltName = email:[EMAIL PROTECTED] @eof
echo 13 >$SNUMFILE
$OPENSSL x509 -req -extfile $CONFFILE -in csr.pem \ -CAserial $SNUMFILE -days 362 -passin pass:aaaaa \ -CA root.cert.pem -CAkey root.key.pem -out server.cert.pem
rm $CONFFILE $SNUMFILE
cat root.cert.pem server.cert.pem >chain.pem
$OPENSSL x509 -noout -text -in root.cert.pem $OPENSSL x509 -noout -text -in server.cert.pem
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
