Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 05:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the

Re: [openssl-users] scripting creating a cert

Very nice. But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert. It would take a fair bit of digging to dig out what I need for now. Definitely something I will look into soon, as providing a simple PKI for a

Re: [openssl-users] scripting creating a cert

On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested: > Thing is that this then prompts for a number of fields: [...] > Is there some 'simple' way to provide these answers? Like with env > variables? Yes, and as others have already pointed out, there's also the possibility of

Re: [openssl-users] scripting creating a cert

On 03/09/2017 08:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys

Re: [openssl-users] scripting creating a cert

> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: > >> $ umask 077 # avoid world-readable private keys > > Perhaps (no perhaps about it) this is old information, but I picked up that I > needed: > > chmod 640 for the private keys for Apache. (and postfix and

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 08:17 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote: I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key

Re: [openssl-users] scripting creating a cert

Jan, On 03/09/2017 08:06 PM, Jan Danielsson wrote: On 03/10/17 00:49, Robert Moskowitz wrote: [---] Is there some 'simple' way to provide these answers? Like with env variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params

Re: [openssl-users] scripting creating a cert

> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote: > > I am creating self-signed certs with: > > openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 > -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 > -extensions

Re: [openssl-users] scripting creating a cert

Hi, Rich. Fancy meeting you here. On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote: Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages,

Re: [openssl-users] scripting creating a cert

On 03/10/17 00:49, Robert Moskowitz wrote: [---] > Is there some 'simple' way to provide these answers? Like with env > variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params | openssl ... Just make sure openssl doesn't

Re: [openssl-users] scripting creating a cert

Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/ For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz PS --

[openssl-users] scripting creating a cert

I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then