current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 1 down vote favorite

My question is quite similar to another one here but not quite the same. I have a sequence of commands to create an ssl key/crt ect. And I want to be able to create an automated, default one. These are the commands (they came from this page):

openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

If each one only took one argument then it would be fine and I would do something like 

openssl genrsa -des3 -out server.key 2048 <<< arg1

But one of them needs as many as 10 inputs which it asks for sequentially.

I tried something like this but it didn't work

openssl genrsa -des3 -out server.key 2048 << foo
arg1
arg2
foo

EDIT: This approach is actually working I think but not for the arguments that are supposed to be passwords. Does anyone have a workaround for that?

Could it make a difference that some of the arguments are passwords?

What is the simplest way to go about this?

share|improve this question
    
OpenSSL may have a way to automate this, including passwords. man openssl or go to their website and read the documentation for more info. Otherwise, this looks like a job for expect. Read up on that tool as well. – rubynorails Nov 27 '15 at 2:25
up vote 1 down vote accepted

This works as expected...I've been piping heredocs to openssl to create certs for years (e.g. i wrote the script below sometime in 2002, and that's the "new" version of the script...no idea when i first wrote it).

You need to provide ALL of the inputs that openssl expects, in the exact order that it expects them, even if some of those inputs are just a blank line (to accept the default).

For example, here's (a slightly edited version of) my script to generate self-signed certs for postfix:

#! /bin/sh

umask 077

# $site is used for the subdir to hold the certs AND for
# the certificate's Common Name
site="$1"
mkdir -p $site

umask 277

REQ="$site/key.pem"
CERT="$site/cert.pem"
SERV="$site/server.pem"
FING="$site/cert.fingerprint"

# certificate details for herenow script (configurable)
COUNTRY="AU"                # 2 letter country-code
STATE="Victoria"            # state or province name
LOCALITY="Melbourne"        # Locality Name (e.g. city)
ORGNAME="organisation name" # Organization Name (eg, company)
ORGUNIT=""                  # Organizational Unit Name (eg. section)
EMAIL="[email protected]"    # certificate's email address
# optional extra details
CHALLENGE=""                # challenge password
COMPANY=""                  # company name

DAYS="-days 365"

# create the certificate request
cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout $REQ -out $REQ
$COUNTRY
$STATE
$LOCALITY
$ORGNAME
$ORGUNIT
$site
$EMAIL
$CHALLENGE
$COMPANY
__EOF__

# sign it - will ask for demoCA's password
openssl ca $DAYS -policy policy_anything -out $CERT -infiles $REQ

# cert has to be readable by postfix
chmod 644 $CERT

# create server.pem for smtpd by concatenating the certificate (cert.pem) +
# demoCA's public certificate + the host's private key (key.pem)
cat $CERT ./demoCA/cacert.pem $REQ >$SERV

# create fingerprint file
openssl x509 -fingerprint -in $CERT -noout > $FING

NOTE: there is no error-checking here, just assumptions about the exact order of input required by openssl for this particular task. If you want error checking, use expect or perl's Expect.pm or python's pexpect.

share|improve this answer
    
Thanks, this is helpful. The only trouble I have left is when one of them requires a password, it still wants me to type it. It is accepting all other inputs fine. For example I have cat << __EOF__ | openssl req -new -key server.key -out server.csr followed by my password and then 9 blank lines and finally an EOF. It requires me to input the password manually and then continues to take values from the heredoc... – Devman Nov 30 '15 at 0:39
    
See man openssl and search for "PASS PHRASE ARGUMENTS" near the end of the document. There are multiple ways of providing pass-phrases to openssl. – cas Nov 30 '15 at 1:39
    
Yes I've been looking at that. The -passin and -passout flags seem to work for every command except the openssl genrsa command. Is there anything special that a bash script can do to only accept keyboard input? More for future reference than for this problem. – Devman Dec 1 '15 at 1:56

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.