Re: [openssl-users] scripting creating a cert
Viktor, On 03/09/2017 05:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitzwrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs) I strive to avoid the private disclosure race of first creating a world-readable file, and then trying to do a quick chmod before the bad guys get around to opening it. That's why I recommend the umask approach. You can adjust the umask to suit your needs. With OpenSSL 1.1.0, if I recall correctly "keyout" files and the like are automatically opened mode "0600". Rich Salz, who wrote the CLI option processing code for 1.1.0 will correct me, if my memory if faulty. There are still a lot of users with 1.0.2 or earlier, and OpenSSL cannot always figure out which files end up having private keys in them, so the umask approach is a good precaution to keep using. Rich got me some help and I have put the following together: Set the following variables: countryName= stateOrProvinceName= localityName= organizationName= organizationalUnitName= emailAddress=postmaster@$your_domain_tld Then the following commands create the certs: restore_mask=$(umask -p) umask 077 cd /etc/pki/tls commonName=$your_host_tld openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress" chmod 640 private/$commonName.key commonName=webmail$your_domain_tld openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress" chmod 640 private/$commonName.key commonName=localhost openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress" chmod 640 private/$commonName.key $restore_mask -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Very nice. But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert. It would take a fair bit of digging to dig out what I need for now. Definitely something I will look into soon, as providing a simple PKI for a small installation has long been on my list. But the effort name is limiting. What about ECDSA and EDDSA certs? :) On 03/10/2017 06:58 AM, Jochen Bern wrote: On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested: Thing is that this then prompts for a number of fields: [...] Is there some 'simple' way to provide these answers? Like with env variables? Yes, and as others have already pointed out, there's also the possibility of command line parameters given to OpenSSL. A publicly available set of scripts that makes heavy use of the env var method and might serve as an example would be easyRSA (here, version 3): # grep EASYRSA_REQ_ openssl-1.0.cnf commonName_default = $ENV::EASYRSA_REQ_CN countryName_default = $ENV::EASYRSA_REQ_COUNTRY stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE localityName_default= $ENV::EASYRSA_REQ_CITY 0.organizationName_default = $ENV::EASYRSA_REQ_ORG organizationalUnitName_default = $ENV::EASYRSA_REQ_OU commonName_default = $ENV::EASYRSA_REQ_CN emailAddress_default= $ENV::EASYRSA_REQ_EMAIL # grep EASYRSA_REQ_ easyrsa | grep -v ';;' [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" EASYRSA_REQ_CN="$name" set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE"California" set_var EASYRSA_REQ_CITY"San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL m...@example.net set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_REQ_CN ChangeMe https://github.com/OpenVPN/easy-rsa Kind regards, -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested: > Thing is that this then prompts for a number of fields: [...] > Is there some 'simple' way to provide these answers? Like with env > variables? Yes, and as others have already pointed out, there's also the possibility of command line parameters given to OpenSSL. A publicly available set of scripts that makes heavy use of the env var method and might serve as an example would be easyRSA (here, version 3): > # grep EASYRSA_REQ_ openssl-1.0.cnf > commonName_default = $ENV::EASYRSA_REQ_CN > countryName_default = $ENV::EASYRSA_REQ_COUNTRY > stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE > localityName_default= $ENV::EASYRSA_REQ_CITY > 0.organizationName_default = $ENV::EASYRSA_REQ_ORG > organizationalUnitName_default = $ENV::EASYRSA_REQ_OU > commonName_default = $ENV::EASYRSA_REQ_CN > emailAddress_default= $ENV::EASYRSA_REQ_EMAIL > # grep EASYRSA_REQ_ easyrsa | grep -v ';;' > [ $EASYRSA_BATCH ] && opts="$opts -batch" || export > EASYRSA_REQ_CN="Easy-RSA CA" > [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" > EASYRSA_REQ_CN="$name" > set_var EASYRSA_REQ_COUNTRY "US" > set_var EASYRSA_REQ_PROVINCE"California" > set_var EASYRSA_REQ_CITY"San Francisco" > set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" > set_var EASYRSA_REQ_EMAIL m...@example.net > set_var EASYRSA_REQ_OU "My Organizational Unit" > set_var EASYRSA_REQ_CN ChangeMe https://github.com/OpenVPN/easy-rsa Kind regards, -- Jochen Bern Systemingenieur smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
On 03/09/2017 08:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitzwrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs) I strive to avoid the private disclosure race of first creating a world-readable file, and then trying to do a quick chmod before the bad guys get around to opening it. That's why I recommend the umask approach. You can adjust the umask to suit your needs. With OpenSSL 1.1.0, if I recall correctly "keyout" files and the like are automatically opened mode "0600". Rich Salz, who wrote the CLI option processing code for 1.1.0 will correct me, if my memory if faulty. There are still a lot of users with 1.0.2 or earlier, and OpenSSL cannot always figure out which files end up having private keys in them, so the umask approach is a good precaution to keep using. And Rich and I sit down and talk about things all the time at IETF. This time we will have some other items to discuss. And since this will go into a world-readable (eventually) howto, this is good advice that I will work on incorporating. Thanks -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
> On Mar 9, 2017, at 8:43 PM, Robert Moskowitzwrote: > >> $ umask 077 # avoid world-readable private keys > > Perhaps (no perhaps about it) this is old information, but I picked up that I > needed: > > chmod 640 for the private keys for Apache. (and postfix and others use these > certs; at least they are in their confs) I strive to avoid the private disclosure race of first creating a world-readable file, and then trying to do a quick chmod before the bad guys get around to opening it. That's why I recommend the umask approach. You can adjust the umask to suit your needs. With OpenSSL 1.1.0, if I recall correctly "keyout" files and the like are automatically opened mode "0600". Rich Salz, who wrote the CLI option processing code for 1.1.0 will correct me, if my memory if faulty. There are still a lot of users with 1.0.2 or earlier, and OpenSSL cannot always figure out which files end up having private keys in them, so the umask approach is a good precaution to keep using. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Viktor, On 03/09/2017 08:17 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 6:49 PM, Robert Moskowitzwrote: I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then prompts for a number of fields The simplest solution is to set the subject DN explicitly on the command-line: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs) $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \ -x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \ -days 3650 -extensions v3_req Fore more advanced related approaches see: https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh Looks like this is pointing me in the direction I want to go. I will dig more into this approach. thank you -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Jan, On 03/09/2017 08:06 PM, Jan Danielsson wrote: On 03/10/17 00:49, Robert Moskowitz wrote: [---] Is there some 'simple' way to provide these answers? Like with env variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params | openssl ... I will try a few things out with this. thanks Just make sure openssl doesn't need any password inputs. It doesn't for this command. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
> On Mar 9, 2017, at 6:49 PM, Robert Moskowitzwrote: > > I am creating self-signed certs with: > > openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 > -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 > -extensions v3_req > > Where, for example: > > your_host_tld=z9m9z.test.htt-consult.com > > Thing is that this then prompts for a number of fields The simplest solution is to set the subject DN explicitly on the command-line: $ umask 077 # avoid world-readable private keys $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \ -x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \ -days 3650 -extensions v3_req Fore more advanced related approaches see: https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Hi, Rich. Fancy meeting you here. On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote: Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/ Not easy enough for me. But I will have to read it some more. For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz 'Fuller' is putting it mildly. :) PS -- find me in Chicago and I can answer questions, Robert :) Plan on it! Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
On 03/10/17 00:49, Robert Moskowitz wrote: [---] > Is there some 'simple' way to provide these answers? Like with env > variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params | openssl ... Just make sure openssl doesn't need any password inputs. -- Kind regards, Jan Danielsson -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/ For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz PS -- find me in Chicago and I can answer questions, Robert :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] scripting creating a cert
I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then prompts for a number of fields: Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Is there some 'simple' way to provide these answers? Like with env variables? thanks -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users