Re: SSL cert key generation on an appliance
Sorry if I am way off base, haven't looked at the thread carefully, but if you can get a self-signed certificate you might be able to pass it into openssl req and convert it to a CSR, then sign that with the higher level cert. The idea is that all you really need is the public key, and that is in the certificate (and can be moved to a CSR with req). My belief that this will work is strong enough that I'm going to risk being publicly embarrassed if it doesn't... Mike Klein wrote: What you found is for self-signed certificates...not sure if this is what you want. Kind of too simplistic. What most faqs should steer useres towards is not self-signed server certs, but a self-signed ca...from which all else derives. In my server setup for my home office/lab...I have a self-signed CA, which signs certificates for the principles in my network (servers and users). I think this is more what you want...a self-signed CA only. When doing ssl auth, or smime/etc. it's much easier to just have your users import your self-signed ca cert just one and then everything else is all good/accepted. Check out the numerous perl ssl routines on cpan. Here's a perl intf to openssl: http://search.cpan.org/~madwolf/OpenCA-OpenSSL-0.9.91/OpenSSL.pod The above states that it is merely a command-line intf to openssl (via perl of course). The apis look quite simple. cheers, mike Rob Patrick wrote: Found a solution in the list archives from last month. http://www.moser-willi.at/doc/howto/docs/AutoSSL/ That script works great!!! Thanks much. - Original Message - From: Waitman C. Gobble, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:28 AM Subject: RE: SSL cert key generation on an appliance Hello, I am positive that there is a perl module, there just has to be. I haven't used it though. If you aren't exactly stuck on perl, you might have a look at the openssl functions in php: http://us3.php.net/manual/en/ref.openssl.php Take care, Waitman Gobble EMK Design Telephone (714) 522-2528 Toll Free (877) 290-2768 http://emkdesign.com ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Patrick Sent: Tuesday, October 14, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: SSL cert key generation on an appliance Hello, We're looking to deploy Linux-based security appliances that only provide the end-user with a web front-end. We want the end-user to have the ability to generate new (self-signed) certificates and SSL keys to be used on the appliance under Apache mod_ssl once installed. I'm betting somebody else has already solved this... how do you generate certs and keys without access to the interactive command line? Essentially, I'm looking for a shell script, some Perl, or another method to perform cert and key generation in an automated fashion, driven by input submitted by a user via the web. From what I can gather with the cmd-line utilities provided by OpenSSL, interactive command-line access is required. If there's an easier way than wrapping the OpenSSL cmd-line utilities with Net::Telnet and IO::Pty, please tell me! Thanks, -Rob Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL cert key generation on an appliance
What you found is for self-signed certificates...not sure if this is what you want. Kind of too simplistic. What most faqs should steer useres towards is not self-signed server certs, but a self-signed ca...from which all else derives. In my server setup for my home office/lab...I have a self-signed CA, which signs certificates for the principles in my network (servers and users). I think this is more what you want...a self-signed CA only. When doing ssl auth, or smime/etc. it's much easier to just have your users import your self-signed ca cert just one and then everything else is all good/accepted. Check out the numerous perl ssl routines on cpan. Here's a perl intf to openssl: http://search.cpan.org/~madwolf/OpenCA-OpenSSL-0.9.91/OpenSSL.pod The above states that it is merely a command-line intf to openssl (via perl of course). The apis look quite simple. cheers, mike Rob Patrick wrote: Found a solution in the list archives from last month. http://www.moser-willi.at/doc/howto/docs/AutoSSL/ That script works great!!! Thanks much. - Original Message - From: Waitman C. Gobble, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:28 AM Subject: RE: SSL cert key generation on an appliance Hello, I am positive that there is a perl module, there just has to be. I haven't used it though. If you aren't exactly stuck on perl, you might have a look at the openssl functions in php: http://us3.php.net/manual/en/ref.openssl.php Take care, Waitman Gobble EMK Design Telephone (714) 522-2528 Toll Free (877) 290-2768 http://emkdesign.com ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Patrick Sent: Tuesday, October 14, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: SSL cert key generation on an appliance Hello, We're looking to deploy Linux-based security appliances that only provide the end-user with a web front-end. We want the end-user to have the ability to generate new (self-signed) certificates and SSL keys to be used on the appliance under Apache mod_ssl once installed. I'm betting somebody else has already solved this... how do you generate certs and keys without access to the interactive command line? Essentially, I'm looking for a shell script, some Perl, or another method to perform cert and key generation in an automated fashion, driven by input submitted by a user via the web. From what I can gather with the cmd-line utilities provided by OpenSSL, interactive command-line access is required. If there's an easier way than wrapping the OpenSSL cmd-line utilities with Net::Telnet and IO::Pty, please tell me! Thanks, -Rob Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL cert key generation on an appliance
Hello, I am positive that there is a perl module, there just has to be. I haven't used it though. If you aren't exactly stuck on perl, you might have a look at the openssl functions in php: http://us3.php.net/manual/en/ref.openssl.php Take care, Waitman Gobble EMK Design Telephone (714) 522-2528 Toll Free (877) 290-2768 http://emkdesign.com ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Patrick Sent: Tuesday, October 14, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: SSL cert key generation on an appliance Hello, We're looking to deploy Linux-based security appliances that only provide the end-user with a web front-end. We want the end-user to have the ability to generate new (self-signed) certificates and SSL keys to be used on the appliance under Apache mod_ssl once installed. I'm betting somebody else has already solved this... how do you generate certs and keys without access to the interactive command line? Essentially, I'm looking for a shell script, some Perl, or another method to perform cert and key generation in an automated fashion, driven by input submitted by a user via the web. From what I can gather with the cmd-line utilities provided by OpenSSL, interactive command-line access is required. If there's an easier way than wrapping the OpenSSL cmd-line utilities with Net::Telnet and IO::Pty, please tell me! Thanks, -Rob Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL cert key generation on an appliance
Found a solution in the list archives from last month. http://www.moser-willi.at/doc/howto/docs/AutoSSL/ That script works great!!! Thanks much. - Original Message - From: Waitman C. Gobble, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:28 AM Subject: RE: SSL cert key generation on an appliance Hello, I am positive that there is a perl module, there just has to be. I haven't used it though. If you aren't exactly stuck on perl, you might have a look at the openssl functions in php: http://us3.php.net/manual/en/ref.openssl.php Take care, Waitman Gobble EMK Design Telephone (714) 522-2528 Toll Free (877) 290-2768 http://emkdesign.com ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Patrick Sent: Tuesday, October 14, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: SSL cert key generation on an appliance Hello, We're looking to deploy Linux-based security appliances that only provide the end-user with a web front-end. We want the end-user to have the ability to generate new (self-signed) certificates and SSL keys to be used on the appliance under Apache mod_ssl once installed. I'm betting somebody else has already solved this... how do you generate certs and keys without access to the interactive command line? Essentially, I'm looking for a shell script, some Perl, or another method to perform cert and key generation in an automated fashion, driven by input submitted by a user via the web. From what I can gather with the cmd-line utilities provided by OpenSSL, interactive command-line access is required. If there's an easier way than wrapping the OpenSSL cmd-line utilities with Net::Telnet and IO::Pty, please tell me! Thanks, -Rob Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
