I'm creating certificates in a script.sh to generate certificates with all the data of a user, but I don't know how to bring that data from a CSV, I managed to read the data but I can't figure out how to put it in the command.
my CSV contains (one thousand records):
Country, place, city, company, nameuser, email
EU,HOME,HOME1,DESKTOP,USERNAME,test#gmail.com
xx,xxx,xxxx,xxxx,xxxx,xxxx
xx,xxx,xxxx,xxxx,xxxx,xxxx
etc....
#!/bin/bash
openssl \
req -x509 \
-newkey rsa:4096 \
-keyout user.key \
-out user.crt \
-days 365 \
-nodes \
-subj "/C=EU/ST=HOME/L=HOME1/O=Desktop/CN=USERNAME/emailAddress=test#gmail.com"
thank you!!!
If that CSV data is truly that straightforward, it could be done with a few lines of bash like this (this assumes the CSV data is in data.csv):
#!/bin/bash
# Skip the first line, then read the comma-separated lines into individual variables
tail -n +2 data.csv | while IFS=, read f1 f2 f3 f4 f5 f6; do
echo openssl \
req -x509 \
-newkey rsa:4096 \
-days 365 \
-keyout "$f5.key" \
-out "$f5.crt" \
-nodes \
-subj "/C=$f1/ST=$f2/L=$f3/O=$f4/CN=$f5/emailAddress=$f6"
done
For demonstration purposes I prefixed it with an echo there, just remove that to run the actual commands.
With input like the following...
Country, place, city, company, nameuser, email
EU,HOME,HOME1,DESKTOP,USERNAME,test#gmail.com
x1,xx2,xxx3,xxx4,xxx5,xxx6
y1,yy2,yyy3,yyy4,yyy5,yyy6
... the script will generate command-lines like this (I assumed you would also want unique *.crt and *.key filenames, keyed on the username, by the way):
$ ./cert_gen.sh
openssl req -x509 -newkey rsa:4096 -keyout USERNAME.key -out USERNAME.crt -days 365 -nodes -subj /C=EU/ST=HOME/L=HOME1/O=DESKTOP/CN=USERNAME/emailAddress=test#gmail.com
openssl req -x509 -newkey rsa:4096 -keyout xxx5.key -out xxx5.crt -days 365 -nodes -subj /C=x1/ST=xx2/L=xxx3/O=xxx4/CN=xxx5/emailAddress=xxx6
openssl req -x509 -newkey rsa:4096 -keyout yyy5.key -out yyy5.crt -days 365 -nodes -subj /C=y1/ST=yy2/L=yyy3/O=yyy4/CN=yyy5/emailAddress=yyy6
This question already has answers here:
Looping over pairs of values in bash [duplicate]
(6 answers)
Closed 4 years ago.
I'm trying to create bash script to generate certificates via openssl in a loop with different parameters.
Of course it's easy to write many lines of code with different parameters, something like:
#!/bin/bash
openssl req -x509 -sha256 -nodes -days 1 -newkey rsa:1024 -keyout private1024_1.key -out RSA_1024_1_SHA256.crt -subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
openssl req -x509 -sha256 -nodes -days 3 -newkey rsa:1024 -keyout private1024_3.key -out RSA_1024_3_SHA256.crt -subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
but I don't think that's a good practice.
So I would like to create some loops with variables where I can set:
number of days;
type of rsa(1024/2048/4096);
name of private key according to type of rsa and numbers of day;
name of certificate according to type of rsa and numbers of day.
About -subj I think just make a separate table of variables and change them if need. I'm not so close with coding, but hope that it's possible to realize this idea with loops.
I will be grateful for any tips or patterns.
Realize next(and it's working):
#!/bin/bash
# Certificate details; replace items in angle brackets with your own info
subj="
C=XX
ST=XXX
O=XXXX
localityName=XXX xx
commonName=xxx.xx
organizationalUnitName=xxx xx
emailAddress=test#xxx.xx
"
declare -a days=(1 3 5 10 15 30 365)
declare -a rsatype=(1024 2048 4096)
declare -a sha=(sha1 md5 sha256 sha512)
dd=7
rst=3
shat=4
for ((i = 0; i < dd; i++))
do
for((j = 0; j < rst; j++))
do
for((k = 0; k < shat; k++))
do
keyout=private${rsatype[$j]}_${days[$i]}.key
out=RSA_${rsatype[$j]}_${days[$i]}_${sha[$k]}.crt
openssl req -x509 -${sha[$k]} -nodes -days ${days[$i]} -newkey rsa:"${rsatype[$j]}" -keyout "$keyout" -out "$out" -subj "$(echo -n "$subj" | tr "\n" "/")"
done
done
done
You can just use two arrays for the number of days and rsa type, while the name of the private key and the name of certificate are determined from the data of the two arrays. Then you iterate a loop over the array elements.
Example:
#!/bin/bash
declare -a days=(1 3)
declare -a rsatype=(1024 2048)
tot=2
for ((i = 0; i < tot; i++))
do
keyout=private${rsatype[$i]}_${days[$i]}.key
out=RSA_${rsatype[$i]}_${days[$i]}_SHA256.crt
openssl req -x509 -sha256 -nodes -days ${days[$i]} -newkey rsa:${rsatype[$i]} \
-keyout $keyout -out $out \
-subj "/C=XX/ST=XXX/L=XXX /O=xxx/OU=xxx/CN=xx.xx/emailAddress=xx#xx.xx"
done
I am trying to install gdb on Mac OS X by following link1 and link2. This process is done in four steps:
installing gdb using brew install gdb
creating a certificate
sign gdb using codesign -s [cert-name] [your-gdb-location]
How can I automate step 2 in a bash script?
This is my final code (based on here, here and here):
cat > myconfig.cnf << EOF
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = VENTOS
countryName = XX
localityName = Fun Land
organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
stateOrProvinceName = YY
emailAddress = ssl-admin#example.com
name = John Doe
surname = Doe
givenName = John
initials = JXD
dnQualifier = some
[ my server exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
echo "generating the private key ..."
openssl genrsa -des3 -passout pass:foobar -out server.key 2048
echo ""
echo "generating the CSR (certificate signing request) ..."
openssl req -new -passin pass:foobar -passout pass:foobar -key server.key -out server.csr -config myconfig.cnf -extensions 'my server exts'
echo ""
echo "generating the self-signed certificate ..."
openssl x509 -req -passin pass:foobar -days 6666 -in server.csr -signkey server.key -out server.crt -extfile myconfig.cnf -extensions 'my server exts'
echo ""
echo "convert crt + RSA private key into a PKCS12 (PFX) file ..."
openssl pkcs12 -export -passin pass:foobar -passout pass:foobar -in server.crt -inkey server.key -out server.pfx
echo ""
echo "importing the certificate ..."
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
Now you can see the certificate listed in System keychains:
To sign gdb
sudo codesign -s VENTOS "$(which gdb)"
I am using some command line Open SSL commands to encrypt and decrypt data using Public and Private keys extracted from a Digital Cert. When I try to decrypt I get PKCS padding errors. Can someone tell me where I'm going wrong?
These are the command I've been using:
a) Extract Public key: openssl x509 -pubkey -noout -in xxxxx.cer > xxxxxpublickey.pem
b) Extract Private Key:openssl pkcs12 -in xxxxxx.pfx -nocerts -out xxxxxprivatekey.pem -nodes
c) Encypt a key (.bin file): openssl enc -aes-256-cbc -in kenkey.bin -out kenkey_Key -pass file:xxxxxpublickey.pem
d) Decrypt key produced in c) openssl rsautl -decrypt -hexdump -in kenkey_key -inkey xxxxxprivatekey.key -out aeskey.txt
This produces errors like this:
RSA operation error 3248:error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding
error:.\crypto\rsa\rsa_pk1.c:273: 3248:error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:602:
So, i have this application that creates a zip file with images and stuff
and i want to sign it using smime.
if i use the terminal command:
openssl smime -binary -sign -passin "pass:MYPASS" -signer ./MyCertificate.pem -inkey ./MyKey.pem -in ./manifest.in -out ./signature.out -outform DER
Formated:
openssl smime -binary -sign -passin "pass:MYPASS" \
-signer ./MyCertificate.pem -inkey ./MyKey.pem \
-in ./manifest.in -out ./signature.out -outform DER
the manifest.in is the file witch contains the text to be signed and signature.out is the output file.
i don't know a lot about signing but i believe this code is signing my file using PKCS7
how can i recreate the same result with ruby/rails?
i have tried to look in the documentation of OpenSSL but i couldn't find anything usefull for me
EDIT
if this helps someone,
this is what the documentation says
i need to build a:
A detached PKCS#7 signature of the manifest
Found a way.
like this:
require 'secure_digest'
def sign_manifest(manifest = {})
manifest_str = manifest.to_json
key4_pem = File.read Rails.root.join("lib", "keys", "key.pem")
pass_phrase = "supera"
key = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
cert = OpenSSL::X509::Certificate.new File.read Rails.root.join("lib", "keys", "certificate.pem")
sign = OpenSSL::PKCS7.sign(cert, key, manifest_str, nil, OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOATTR | OpenSSL::PKCS7::DETACHED).to_der
sign
end
Just to clarify my code, manifest param is a hash witch i want to sign it using this code. if i want another item, like a image, string or file i just need do read it as string