I am like 95% done my shell script to install a Debian mail server from a fresh install, this is based on my currently running mailserver that I know to be working. What I have done is I have captured user input for the required info for the SSL but every time I try to generate the SSL unattended with openssl it fails. Any chance someone can help me? I have tried the following which works for mysql changes but didnt work for me.
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem<<EOF
$country
$state
$city
$org
$unit
$commonname
$email
EOF
This gets me as far as this and then I have to hit enter... not cool as I need to not have to hit anything. Any ideas?
What I've used with SaltStack is:
openssl req -new -x509 -days 365 -nodes \
-out /etc/ssl/certs/postfix.pem \
-keyout /etc/ssl/private/postfix.pem \
-subj "/C=RO/ST=Bucharest/L=Bucharest/O=IT/CN=www.example.ro"
Credit go to Sean P. Kane.
Related
I'm currently working on generating a certificate & private key and trying to import it in a pkcs#12 file, however when i try to generate it, i had a error from OpenSSL. For my tests, i have to insert a friendly name to my privatekey when the p12 is generating. Here under some details :
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "otto"
After this last command, i enter the server.key passphrase, enter an export password, and after that, a window appears informing that OpenSSL crashed...
I already searched for solutions, but found nothing usefull, does anyone have an idea ?
Thank you for your help
Regards
After running this:
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
I get prompted with the option descriptions.
After running this
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
I get prompted with "Enter Import Password:". What is this import password? I tried the one I set from the firefox backup and it responded with "Mac verify error: invalid password?". I'm sure that the password is correct because I tested it by importing it again into firefox.
I got the commands from the answer to this question!
I experienced the same thing too. Try to put the password in the command line like this. It works for me:
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes -password pass:<mypassword>
I'm following this tutorial. I've got DNSMasq working properly but getting a permissions error when trying to generate a self-signed certificate using this script:
#!/usr/bin/env sh
cat > openssl.conf <<-EOF
[req]
distinguished_name = site_distinguished_name
x509_extensions = v3_site
prompt = no
[site_distinguished_name]
CN = *.${PWD##*/}.dev
[v3_site]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = #domains
[domains]
DNS.1 = *.${PWD##*/}.dev
DNS.2 = ${PWD##*/}.dev
EOF
openssl req -new -newkey rsa:2048 -sha256 \
-days 3650 -nodes -x509 -keyout site.key \
-out site.crt -config openssl.conf
Here's what I'm getting in the terminal
project_directory $ ./ssl_cert_gen.sh
-bash: ./ssl_cert_gen.sh: Permission denied
project_directory $ sudo ./ssl_cert_gen.sh
Password:
sudo: ./ssl_cert_gen.sh: command not found
Am I way off? Any ideas? Thanks in advance.
You have to make the script executable:
$ chmod +x ssl_cert_gen.sh
All executable files in Unix must have the corresponding executable (x) bit set, otherwise the kernel won't execute them. Scripts are executables too, but they utilise the "shebang" mechanism (#!) to specify the name of an interpreter.
I need to automate X509 SSL certificate generation in a bash script (without prompt any strings to console).
I generate an SSL key and cert request automatically, but I can not automatize certificate generation without promt password.
This commands works without prompt:
openssl genrsa -des3 -passout pass:passwd -out testem/2.key 1024
openssl req -new -passin pass:passwd -subj "/" -key testem/2.key -out testem/2.csr
This command requests input password:
openssl x509 -req -days 365 -in testem/2.csr -signkey testem/2.key -out testem/2.crt
I can't find the option "-passout" in the manual of the command "x509".
What can be done?
You need to supply the password. Like this for example.
openssl x509 -passin pass:passwd -req -days 365 -in testem/2.csr -signkey testem/2.key -out testem/2.crt
I have created a certificate authority and need to generate and sign 50+ certificates. I wanted to script this process. I don't want to have to manually enter a password 100+ times!
Here is the command I was getting hung up on:
openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM
The problem is, it wants me to create a password with these prompts:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
When I am just being asked for a password to input I can use the -passin pass:mypass command line option for openssl. But this does not seem to work for creating a password.
Also, it seems strange that a password is required when later I just end up removing it with:
openssl rsa < tempkey.pem > server_key.pem
I tried creating a simple Ruby script:
require 'open3'
Open3.popen2("openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM") {|i,o,t|
i.puts "mySecretPassword"
i.puts "mySecretPassword"
}
But this does not seem to work either. I still end up with a manual prompt asking me to create a password.
As explained in this answer you can use the -passout pass:foobar option to set a password via command line. For example:
openssl req \
-newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM \
-out ~/myCA/tempreq.pem -outform PEM \
-passout pass:foobar \
-subj "/C=US/ST=Test/L=Test/O=Test/CN=localhost"
The problem is most of utilities that expects a password do require interactive terminal. So if you try to fake it (like you did with a Ruby script) it will not work. You could also try:
echo -n "pass\npass\n" | openssl req ....
While this will work with some programs, those what require interative shell will not work.
You are searching for the tool called expect. Install it on your UNIX/Linux/MacOS and see the man page:
man expect
...
Expect is a program that "talks" to other interactive programs according to a script. Following the script, Expect
knows what can be expected from a program and what the correct response should be. An interpreted language pro‐
vides branching and high-level control structures to direct the dialogue. In addition, the user can take control
and interact directly when desired, afterward returning control to the script.
...
You need to create "expect script", it really depends on your environment - what the application is asking for. If it is only a passwords, it should be simple. Here is more complex example: http://fixunix.com/openssl/159046-expect-script-doesnt-create-newreq-pem.html
I think this should work (you will maybe need to change it a bit):
#!/usr/bin/expect -f
spawn -console openssl req blah blah blah blah
expect "Enter PEM pass phrase:*" {send "password\r"}
expect "Verifying - Enter PEM pass phrase:*" {send "password\r"}
Good luck!