I have created a certificate authority and need to generate and sign 50+ certificates. I wanted to script this process. I don't want to have to manually enter a password 100+ times!
Here is the command I was getting hung up on:
openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM
The problem is, it wants me to create a password with these prompts:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
When I am just being asked for a password to input I can use the -passin pass:mypass command line option for openssl. But this does not seem to work for creating a password.
Also, it seems strange that a password is required when later I just end up removing it with:
openssl rsa < tempkey.pem > server_key.pem
I tried creating a simple Ruby script:
require 'open3'
Open3.popen2("openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM") {|i,o,t|
i.puts "mySecretPassword"
i.puts "mySecretPassword"
}
But this does not seem to work either. I still end up with a manual prompt asking me to create a password.
As explained in this answer you can use the -passout pass:foobar option to set a password via command line. For example:
openssl req \
-newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM \
-out ~/myCA/tempreq.pem -outform PEM \
-passout pass:foobar \
-subj "/C=US/ST=Test/L=Test/O=Test/CN=localhost"
The problem is most of utilities that expects a password do require interactive terminal. So if you try to fake it (like you did with a Ruby script) it will not work. You could also try:
echo -n "pass\npass\n" | openssl req ....
While this will work with some programs, those what require interative shell will not work.
You are searching for the tool called expect. Install it on your UNIX/Linux/MacOS and see the man page:
man expect
...
Expect is a program that "talks" to other interactive programs according to a script. Following the script, Expect
knows what can be expected from a program and what the correct response should be. An interpreted language pro‐
vides branching and high-level control structures to direct the dialogue. In addition, the user can take control
and interact directly when desired, afterward returning control to the script.
...
You need to create "expect script", it really depends on your environment - what the application is asking for. If it is only a passwords, it should be simple. Here is more complex example: http://fixunix.com/openssl/159046-expect-script-doesnt-create-newreq-pem.html
I think this should work (you will maybe need to change it a bit):
#!/usr/bin/expect -f
spawn -console openssl req blah blah blah blah
expect "Enter PEM pass phrase:*" {send "password\r"}
expect "Verifying - Enter PEM pass phrase:*" {send "password\r"}
Good luck!
Related
I am writing a shell script which executes a command which requires a password. I cannot put password in plain text in the script. I read about openssl encrypt decrypt mechanism but for encrypting a file again I need a password which again I cannot put in the script. I am clueless what is the best way to have a script execute a command using a secure password.
After reading about Using OpenSSL to encrypt messages and files on Linux, the following approach might work for you.
Assuming you have private and public key generated for your machine
openssl genrsa -out passwordPrivKey.pem 2048
openssl rsa -in passwordPrivKey.pem -out passwordPubKey.pem -outform PEM -pubout
OpenSSL could be used than to encrypt and decrypt a password. Providing a script stub which will demonstrate how to use the command.
#!/bin/bash
echo -n "password" > PASSWORD.plain
# To encrypt
openssl rsautl -encrypt -inkey ./passwordPrivKey.pem -pubin -in PASSWORD.plain -out PASSWORD.dat
# To decrypt
DECRYPTED=$(openssl rsautl -decrypt -inkey ./passwordPubKey.pem -in PASSWORD.dat)
echo $DECRYPTED
On the machine where the password is needed unencrypted later, only PASSWORD.dat and passwordPubKey.pem would be stored.
You may also interested in Hiding Password in Shell Scripts, Password encryption and decryption or How does OpenSSL decrypt a password.
Try openssl. It is a command available on UNIX and it can hash your password for you.
https://www.openssl.org/docs/man1.0.2/apps/openssl.html
It depends on where you execute that script from. If it's a continuous integration tool, there should be way to define a system variable, visible in your script.
I have some commands which need user interaction so that time either I want to Enter with defaults or feed some input from chef itself so my instance won't fail at run time. For example...
./build-ca # The command I am executing
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [KA]:
Here pressing enter will does the job (uses defaults) while doint it manually, but how I can automate this thing using Chef, some times I need to press y or other values as well. Any help will be highly appreciated.
If you have no alternatives (e.g. passing arguments or an input file to the command or script, as already suggested by others) you can script the interactions with expect and run it from your chef recipe using the bash resource.
See How to automate user interactive command in chef recipe
I think you are using the Easy RSA scripts to generate OpenVPN certificates.
One solution would be to generate the ./vars file and call pkitool (which is called by the old build-ca script):
easy_rsa_path = '/usr/share/easy-rsa' # or whatever
template "#{easy_rsa_path}/vars" # [...]
bash 'build-ca' do
cwd easy_rsa_path
code <<-EOH
source ./vars && \
./clean-all && \
./pkitool --batch --initca
EOH
creates "#{easy_rsa_path}/keys/ca.crt"
end
A better approach would be to use OpenSSL to generate the certificate. You can see an implementation example in the openvpn cookbook:
bash 'openvpn-initca' do
environment('KEY_CN' => "#{node['openvpn']['key']['org']} CA")
code <<-EOF
openssl req -batch -days #{node["openvpn"]["key"]["ca_expire"]} \
-nodes -new -newkey rsa:#{key_size} -sha1 -x509 \
-keyout #{node["openvpn"]["signing_ca_key"]} \
-out #{node["openvpn"]["signing_ca_cert"]} \
-config #{key_dir}/openssl.cnf
EOF
not_if { ::File.exists?(node['openvpn']['signing_ca_cert']) }
end
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
I think you have already resolved but I had the same problem. I answer to share my solution.
If you have a .p12 file your approach is right.
First of all, you have to get the cert and the key separated from the p12 file.
As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Check if you have a newer curl. Newer versions can handle PKCS12 outright.
Tangentially, quote the password, or individually escape all shell metacharacters.
curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
curl could not open PKCS12 file
I just ended up exporting the p12 file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:
--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
If this option is used several times, the last one will be used.
(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.
I am trying to run OpenSSL from Node.js in order to create a CSR. Basically, this works fine, but now I have a problem I can not solve.
Basically, what I want to do is to create a CSR from a key. The appropriate command is
$ openssl req -key private.key -new -subj "/C=DE/ST=..."
This outputs the CSR to stdout. So far, this is fine. What I now want to change is that I do not need to have the private key in a special file, instead I want to provide it from stdin. So, basically I'd like to run OpenSSL like this:
$ openssl req -new -subj "/C=DE/ST=..."
But since the -key parameter is now missing, this forces OpenSSL to create a new private key. How can I tell OpenSSL not to create a new private key, but to use the one I provide via stdin?
PS: I am aware of the option to hand over /dev/stdin to the -key parameter, but this will only work on OS X and Linux, not on Windows.
Instead of going to Extension Builder > Build Package…, I'd like to built a .safariextz package from the MyExtension.safariextension folder.
I know I can unpack an extension with xar -xf. I suspect the way back involves packing it with xar, but then I'll need to do the code signing thing, which may or may not involve codesign(1).
Here are Omar Ismail's instructions, omitting the need for separate shell scripts. This will all occur in a directory safari/, where we will be signing the directory safari/appname.safariextension/ to become the extension safari/appname.safariextz. The first thing is to sign the extension the official way, with Extension Builder's Build Package.
Set up Xar:
1. Download and unzip/untar
https://github.com/downloads/mackyle/xar/xar-1.6.1.tar.gz
to wherever you want the executable xar-1.6.1 (xar 1.6dev doesn't support the options we need)
2. in xar-1.6.1/
./configure
make
sudo make install
sudo ln -s /full/path/to/xar-1.6.1/src/xar /usr/local/bin/xar161
Set up your certificates:
1. in safari/
mkdir certs/
xar161 -f appname.safariextz --extract-certs certs/
2. open Keychain Access and export your Safari Developer certificate to safari/certs/certs.p12 (use a blank password for certs.p12, and then use your Mac's password to export the cert)
3. in safari/certs/
openssl pkcs12 -in certs.p12 -nodes | openssl x509 -outform der -out cert.der
(same blank password)
openssl pkcs12 -in certs.p12 -nodes | openssl rsa -out key.pem
(same blank password)
openssl dgst -sign key.pem -binary < key.pem | wc -c > size.txt
It's possible that you can get the certificates from certs/cert.p12, and not need the --extract-certs step (and hence not need the extension built the official way), but I don't know openssl well enough, and it's only for the set up that you need that step anyway.
Once everything is set up, to sign the extension:
In safari/
xar161 -czf appname.safariextz --distribution appname.safariextension/
xar161 --sign -f appname.safariextz --digestinfo-to-sign digest.dat --sig-size `cat certs/size.txt` --cert-loc certs/cert.der --cert-loc certs/cert01 --cert-loc certs/cert02
openssl rsautl -sign -inkey certs/key.pem -in digest.dat -out sig.dat
xar161 --inject-sig sig.dat -f appname.safariextz
rm -f sig.dat digest.dat
This was all on a 2006 Snow Leopard MacBook, so it's possible things may be different on a machine that's more up to date.
Looks like there is a way to patch XAR with a signature option. http://code.google.com/p/xar/issues/detail?id=76#c0