Bash script with a loop [duplicate] - bash

This question already has answers here:
Looping over pairs of values in bash [duplicate]
(6 answers)
Closed 4 years ago.
I'm trying to create bash script to generate certificates via openssl in a loop with different parameters.
Of course it's easy to write many lines of code with different parameters, something like:
#!/bin/bash
openssl req -x509 -sha256 -nodes -days 1 -newkey rsa:1024 -keyout private1024_1.key -out RSA_1024_1_SHA256.crt -subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
openssl req -x509 -sha256 -nodes -days 3 -newkey rsa:1024 -keyout private1024_3.key -out RSA_1024_3_SHA256.crt -subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
but I don't think that's a good practice.
So I would like to create some loops with variables where I can set:
number of days;
type of rsa(1024/2048/4096);
name of private key according to type of rsa and numbers of day;
name of certificate according to type of rsa and numbers of day.
About -subj I think just make a separate table of variables and change them if need. I'm not so close with coding, but hope that it's possible to realize this idea with loops.
I will be grateful for any tips or patterns.
Realize next(and it's working):
#!/bin/bash
# Certificate details; replace items in angle brackets with your own info
subj="
C=XX
ST=XXX
O=XXXX
localityName=XXX xx
commonName=xxx.xx
organizationalUnitName=xxx xx
emailAddress=test#xxx.xx
"
declare -a days=(1 3 5 10 15 30 365)
declare -a rsatype=(1024 2048 4096)
declare -a sha=(sha1 md5 sha256 sha512)
dd=7
rst=3
shat=4
for ((i = 0; i < dd; i++))
do
for((j = 0; j < rst; j++))
do
for((k = 0; k < shat; k++))
do
keyout=private${rsatype[$j]}_${days[$i]}.key
out=RSA_${rsatype[$j]}_${days[$i]}_${sha[$k]}.crt
openssl req -x509 -${sha[$k]} -nodes -days ${days[$i]} -newkey rsa:"${rsatype[$j]}" -keyout "$keyout" -out "$out" -subj "$(echo -n "$subj" | tr "\n" "/")"
done
done
done


You can just use two arrays for the number of days and rsa type, while the name of the private key and the name of certificate are determined from the data of the two arrays. Then you iterate a loop over the array elements.
Example:
#!/bin/bash
declare -a days=(1 3)
declare -a rsatype=(1024 2048)
tot=2
for ((i = 0; i < tot; i++))
do
keyout=private${rsatype[$i]}_${days[$i]}.key
out=RSA_${rsatype[$i]}_${days[$i]}_SHA256.crt
openssl req -x509 -sha256 -nodes -days ${days[$i]} -newkey rsa:${rsatype[$i]} \
-keyout $keyout -out $out \
-subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
done

Related

Create certificates with openssl from csv script.sh Ubuntu Server

I'm creating certificates in a script.sh to generate certificates with all the data of a user, but I don't know how to bring that data from a CSV, I managed to read the data but I can't figure out how to put it in the command.
my CSV contains (one thousand records):
Country, place, city, company, nameuser, email
EU,HOME,HOME1,DESKTOP,USERNAME,test#gmail.com
xx,xxx,xxxx,xxxx,xxxx,xxxx
xx,xxx,xxxx,xxxx,xxxx,xxxx
etc....
#!/bin/bash
openssl \
req -x509 \
-newkey rsa:4096 \
-keyout user.key \
-out user.crt \
-days 365 \
-nodes \
-subj "/C=EU/ST=HOME/L=HOME1/O=Desktop/CN=USERNAME/emailAddress=test#gmail.com"
thank you!!!

If that CSV data is truly that straightforward, it could be done with a few lines of bash like this (this assumes the CSV data is in data.csv):
#!/bin/bash
# Skip the first line, then read the comma-separated lines into individual variables
tail -n +2 data.csv | while IFS=, read f1 f2 f3 f4 f5 f6; do
echo openssl \
req -x509 \
-newkey rsa:4096 \
-days 365 \
-keyout "$f5.key" \
-out "$f5.crt" \
-nodes \
-subj "/C=$f1/ST=$f2/L=$f3/O=$f4/CN=$f5/emailAddress=$f6"
done
For demonstration purposes I prefixed it with an echo there, just remove that to run the actual commands.
With input like the following...
Country, place, city, company, nameuser, email
EU,HOME,HOME1,DESKTOP,USERNAME,test#gmail.com
x1,xx2,xxx3,xxx4,xxx5,xxx6
y1,yy2,yyy3,yyy4,yyy5,yyy6
... the script will generate command-lines like this (I assumed you would also want unique *.crt and *.key filenames, keyed on the username, by the way):
$ ./cert_gen.sh
openssl req -x509 -newkey rsa:4096 -keyout USERNAME.key -out USERNAME.crt -days 365 -nodes -subj /C=EU/ST=HOME/L=HOME1/O=DESKTOP/CN=USERNAME/emailAddress=test#gmail.com
openssl req -x509 -newkey rsa:4096 -keyout xxx5.key -out xxx5.crt -days 365 -nodes -subj /C=x1/ST=xx2/L=xxx3/O=xxx4/CN=xxx5/emailAddress=xxx6
openssl req -x509 -newkey rsa:4096 -keyout yyy5.key -out yyy5.crt -days 365 -nodes -subj /C=y1/ST=yy2/L=yyy3/O=yyy4/CN=yyy5/emailAddress=yyy6

Openssl CSR Creation with -subj is failing

I'm having a Scirpt and I'm trying to create a self signed Cert:
openssl ecparam -genkey -name secp384r1 -out /etc/nginx/ssl/${MYDOMAIN}.key.pem >/dev/null 2>&1
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
openssl req -x509 -days 365 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -in /etc/nginx/ssl/csr.pem -out /etc/nginx/ssl/${MYDOMAIN}.pem >/dev/null 2>&1
The creation of the CSR should be silent due to the -subj paramter, but it's not working at all with this line:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm receiving an error like this:
[INFO] Creating self-signed SSL certificates...
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute O, skipped
No value provided for Subject Attribute OU, skipped
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
It was working in that way, before I updated Openssl to 1.1.0...
With:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem subj "/C=DE/ST=Berlin/L=Berlin/O=Privat/OU=Privat/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm getting this error:
[INFO] Creating self-signed SSL certificates...
unknown option subj
req [options] outfile
where options are
[...]

Creating certificate to sign GDB on Mac OS X from bash

I am trying to install gdb on Mac OS X by following link1 and link2. This process is done in four steps:
installing gdb using brew install gdb
creating a certificate
sign gdb using codesign -s [cert-name] [your-gdb-location]
How can I automate step 2 in a bash script?

This is my final code (based on here, here and here):
cat > myconfig.cnf << EOF
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = VENTOS
countryName = XX
localityName = Fun Land
organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
stateOrProvinceName = YY
emailAddress = ssl-admin#example.com
name = John Doe
surname = Doe
givenName = John
initials = JXD
dnQualifier = some
[ my server exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
echo "generating the private key ..."
openssl genrsa -des3 -passout pass:foobar -out server.key 2048
echo ""
echo "generating the CSR (certificate signing request) ..."
openssl req -new -passin pass:foobar -passout pass:foobar -key server.key -out server.csr -config myconfig.cnf -extensions 'my server exts'
echo ""
echo "generating the self-signed certificate ..."
openssl x509 -req -passin pass:foobar -days 6666 -in server.csr -signkey server.key -out server.crt -extfile myconfig.cnf -extensions 'my server exts'
echo ""
echo "convert crt + RSA private key into a PKCS12 (PFX) file ..."
openssl pkcs12 -export -passin pass:foobar -passout pass:foobar -in server.crt -inkey server.key -out server.pfx
echo ""
echo "importing the certificate ..."
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
Now you can see the certificate listed in System keychains:
To sign gdb
sudo codesign -s VENTOS "$(which gdb)"

Padding errors using OpenSSL for encrypt/decrypt with Keys extracted from Digital Cert

I am using some command line Open SSL commands to encrypt and decrypt data using Public and Private keys extracted from a Digital Cert. When I try to decrypt I get PKCS padding errors. Can someone tell me where I'm going wrong?
These are the command I've been using:
a) Extract Public key: openssl x509 -pubkey -noout -in xxxxx.cer > xxxxxpublickey.pem
b) Extract Private Key:openssl pkcs12 -in xxxxxx.pfx -nocerts -out xxxxxprivatekey.pem -nodes
c) Encypt a key (.bin file): openssl enc -aes-256-cbc -in kenkey.bin -out kenkey_Key -pass file:xxxxxpublickey.pem
d) Decrypt key produced in c) openssl rsautl -decrypt -hexdump -in kenkey_key -inkey xxxxxprivatekey.key -out aeskey.txt
This produces errors like this:
RSA operation error 3248:error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding
error:.\crypto\rsa\rsa_pk1.c:273: 3248:error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:602:

openssl generates the same public key from bash script

Im trying to generate multiple pairs of private - public keys with openssl
Im using this bash script.
openssl genrsa -out /etc/dkim10.key 1024 && openssl rsa -in /etc/dkim.key -out /etc/dkim10.pub -pubout &&
openssl genrsa -out /etc/dkim11.key 1024 && openssl rsa -in /etc/dkim.key -out /etc/dkim11.pub -pubout &&
openssl genrsa -out /etc/dkim12.key 1024 && openssl rsa -in /etc/dkim.key -out /etc/dkim12.pub -pubout
the private keys are different but the public key is always the same. the .pub files are identical when compared with diff. the same happens if I try to generate the pairs one by one. is this normal ? and how can I make it generate different public keys?

You are using the same private key for each public key command: openssl rsa -in /etc/dkim.key.
You need to use the correct private key.

Resources