Re: [openssl-users] scripting creating a cert

2017-03-13 Thread Robert Moskowitz 

Viktor,

On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:

On Mar 9, 2017, at 8:43 PM, Robert Moskowitz  wrote:


   $ umask 077 # avoid world-readable private keys

Perhaps (no perhaps about it) this is old information, but I picked up that I 
needed:

chmod 640 for the private keys for Apache.  (and postfix and others use these 
certs; at least they are in their confs)

I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.


Rich got me some help and I have put the following together:

Set the following variables:

countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld

Then the following commands create the certs:

restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"


chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"


chmod 640 private/$commonName.key
commonName=localhost

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"


chmod 640 private/$commonName.key
$restore_mask


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-10 Thread Robert Moskowitz 
Very nice.  But this looks like it as part of the whole easyRSA effort, 
not something I can easily feed into the openssl command to create the 
cert.  It would take a fair bit of digging to dig out what I need for now.


Definitely something I will look into soon, as providing a simple PKI 
for a small installation has long been on my list.  But the effort name 
is limiting.  What about ECDSA and EDDSA certs?  :)


On 03/10/2017 06:58 AM, Jochen Bern wrote:

On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested:

Thing is that this then prompts for a number of fields:

[...]

Is there some 'simple' way to provide these answers?  Like with env
variables?

Yes, and as others have already pointed out, there's also the
possibility of command line parameters given to OpenSSL.

A publicly available set of scripts that makes heavy use of the env var
method and might serve as an example would be easyRSA (here, version 3):


# grep EASYRSA_REQ_ openssl-1.0.cnf
commonName_default  = $ENV::EASYRSA_REQ_CN
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName_default= $ENV::EASYRSA_REQ_CITY
0.organizationName_default  = $ENV::EASYRSA_REQ_ORG
organizationalUnitName_default  = $ENV::EASYRSA_REQ_OU
commonName_default  = $ENV::EASYRSA_REQ_CN
emailAddress_default= $ENV::EASYRSA_REQ_EMAIL
# grep EASYRSA_REQ_ easyrsa | grep -v ';;'
 [ $EASYRSA_BATCH ] && opts="$opts -batch" || export 
EASYRSA_REQ_CN="Easy-RSA CA"
 [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
 EASYRSA_REQ_CN="$name"
 set_var EASYRSA_REQ_COUNTRY "US"
 set_var EASYRSA_REQ_PROVINCE"California"
 set_var EASYRSA_REQ_CITY"San Francisco"
 set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
 set_var EASYRSA_REQ_EMAIL   m...@example.net
 set_var EASYRSA_REQ_OU  "My Organizational Unit"
 set_var EASYRSA_REQ_CN  ChangeMe

https://github.com/OpenVPN/easy-rsa

Kind regards,




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-10 Thread Jochen Bern 
On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested:
> Thing is that this then prompts for a number of fields:
[...]
> Is there some 'simple' way to provide these answers?  Like with env 
> variables?

Yes, and as others have already pointed out, there's also the
possibility of command line parameters given to OpenSSL.

A publicly available set of scripts that makes heavy use of the env var
method and might serve as an example would be easyRSA (here, version 3):

> # grep EASYRSA_REQ_ openssl-1.0.cnf 
> commonName_default  = $ENV::EASYRSA_REQ_CN
> countryName_default = $ENV::EASYRSA_REQ_COUNTRY
> stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
> localityName_default= $ENV::EASYRSA_REQ_CITY
> 0.organizationName_default  = $ENV::EASYRSA_REQ_ORG
> organizationalUnitName_default  = $ENV::EASYRSA_REQ_OU
> commonName_default  = $ENV::EASYRSA_REQ_CN
> emailAddress_default= $ENV::EASYRSA_REQ_EMAIL

> # grep EASYRSA_REQ_ easyrsa | grep -v ';;'
> [ $EASYRSA_BATCH ] && opts="$opts -batch" || export 
> EASYRSA_REQ_CN="Easy-RSA CA"
> [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
> EASYRSA_REQ_CN="$name"
> set_var EASYRSA_REQ_COUNTRY "US"
> set_var EASYRSA_REQ_PROVINCE"California"
> set_var EASYRSA_REQ_CITY"San Francisco"
> set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
> set_var EASYRSA_REQ_EMAIL   m...@example.net
> set_var EASYRSA_REQ_OU  "My Organizational Unit"
> set_var EASYRSA_REQ_CN  ChangeMe

https://github.com/OpenVPN/easy-rsa

Kind regards,
-- 
Jochen Bern
Systemingenieur



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Robert Moskowitz 



On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:

On Mar 9, 2017, at 8:43 PM, Robert Moskowitz  wrote:


   $ umask 077 # avoid world-readable private keys

Perhaps (no perhaps about it) this is old information, but I picked up that I 
needed:

chmod 640 for the private keys for Apache.  (and postfix and others use these 
certs; at least they are in their confs)

I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.


And Rich and I sit down and talk about things all the time at IETF. This 
time we will have some other items to discuss.


And since this will go into a world-readable (eventually) howto, this is 
good advice that I will work on incorporating.


Thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Viktor Dukhovni 

> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz  wrote:
> 
>>   $ umask 077 # avoid world-readable private keys
> 
> Perhaps (no perhaps about it) this is old information, but I picked up that I 
> needed:
> 
> chmod 640 for the private keys for Apache.  (and postfix and others use these 
> certs; at least they are in their confs)

I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Robert Moskowitz 

Viktor,

On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:

On Mar 9, 2017, at 6:49 PM, Robert Moskowitz  wrote:

I am creating self-signed certs with:

openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 
-nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 
-extensions v3_req

Where, for example:

your_host_tld=z9m9z.test.htt-consult.com

Thing is that this then prompts for a number of fields

The simplest solution is to set the subject DN explicitly on the command-line:

$ umask 077 # avoid world-readable private keys


Perhaps (no perhaps about it) this is old information, but I picked up 
that I needed:


chmod 640 for the private keys for Apache.  (and postfix and others use 
these certs; at least they are in their confs)



$ openssl req -new -newkey rsa:2048 -nodes -keyout 
private/$your_host_tld.key \
-x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
-days 3650 -extensions v3_req

Fore more advanced related approaches see:

 
https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh


Looks like this is pointing me in the direction I want to go.  I will 
dig more into this approach.


thank you


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Robert Moskowitz 

Jan,

On 03/09/2017 08:06 PM, Jan Danielsson wrote:

On 03/10/17 00:49, Robert Moskowitz wrote:
[---]

Is there some 'simple' way to provide these answers?  Like with env
variables?

I tend do create response files (one response per line) and then
simply pipe to openssl:

$ cat foo.params | openssl ...


I will try a few things out with this.

thanks


Just make sure openssl doesn't need any password inputs.



It doesn't for this command.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Viktor Dukhovni 

> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz  wrote:
> 
> I am creating self-signed certs with:
> 
> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 
> -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 
> -extensions v3_req
> 
> Where, for example:
> 
> your_host_tld=z9m9z.test.htt-consult.com
> 
> Thing is that this then prompts for a number of fields

The simplest solution is to set the subject DN explicitly on the command-line:

   $ umask 077 # avoid world-readable private keys
   $ openssl req -new -newkey rsa:2048 -nodes -keyout 
private/$your_host_tld.key \
-x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
-days 3650 -extensions v3_req

Fore more advanced related approaches see:


https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Robert Moskowitz 

Hi, Rich.

Fancy meeting you here.

On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote:

Yes there are easier ways to do this.  Set up a conf file and use it (via the 
-conf flag).  You can use env vars, set default values, and so on.  Look at the 
config manpages, https://www.openssl.org/docs/manmaster/man5/


Not easy enough for me.  But I will have to read it some more.


For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz


'Fuller' is putting it mildly.  :)


PS -- find me in Chicago and I can answer questions, Robert :)


Plan on it!

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Jan Danielsson 
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
> Is there some 'simple' way to provide these answers?  Like with env
> variables?

   I tend do create response files (one response per line) and then
simply pipe to openssl:

   $ cat foo.params | openssl ...

   Just make sure openssl doesn't need any password inputs.

-- 
Kind regards,
Jan Danielsson

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] scripting creating a cert

2017-03-09 Thread Salz, Rich via openssl-users 
Yes there are easier ways to do this.  Set up a conf file and use it (via the 
-conf flag).  You can use env vars, set default values, and so on.  Look at the 
config manpages, https://www.openssl.org/docs/manmaster/man5/

For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz
 

PS -- find me in Chicago and I can answer questions, Robert :)
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] scripting creating a cert

2017-03-09 Thread Robert Moskowitz 

I am creating self-signed certs with:

openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey 
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 
3650 -x509 -extensions v3_req


Where, for example:

your_host_tld=z9m9z.test.htt-consult.com

Thing is that this then prompts for a number of fields:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Is there some 'simple' way to provide these answers?  Like with env 
variables?


thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users