[TriLUG] (no subject)
Joseph Tate
jtate at dragonstrider.com
Wed Dec 3 18:10:34 EST 2003
bp wrote:
> I use the following set of command to create self-signed certificates for
> AOL IM.
>
> /usr/share/ssl/misc/CA -newreq
> /usr/share/ssl/misc/CA -signreq
> openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
> demoCA/cacert.pem -name "AIMCertificate" -out mycert.p12
>
> Anyone familar enough with CA to propose how to script this process? I'd
> like to either provide all the required input on the commandline or use
> redirection to input it. It doesn't appear that CA takes input from the
> cmd line nor have I found a way to get redirection to work as it prompts
> for you certificate store password (which it's not reading from redirected
> standard in)
>
> I'd like to write a script to knock out certificates quickly. Any pointers
> on working around this security?
>
> // Yes, I know I'm circumventing some levels of security here.
>
>
> In case you want the necessary first set of commands to create a new CA:
> /usr/share/ssl/misc/CA -newca
> openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey
> demoCA/private/cakey.pem
> cp cacert.pem demoCA/cacert.pem
>
>
Check out the openssl.conf file, especially the prompt option (which
disables prompting and just uses values from the conf file). It has all
kinds of stuff like default name, organization, location, etc. You
could generate this as part of your script then use openssl -config
<YOURFILE>. Note that CA is just a wrapper around openssl commands, so
call them directly. You can specify nearly everything that's prompted
from the command line. Also, as the interview questions never change,
you could just put the input in a file one entry per line and use < to
redirect it into the openssl command.
See http://www.openssl.org/docs/apps/req.html# for additional info.
Joseph
More information about the TriLUG
mailing list