Wednesday, May 19, 2010

Do You Repeatedly Create Certificates using Openssl?

If you are like me and maintain a decent number web servers you probably also have more than one SSL certificate on each server. It doesn't take very long for the maintenance to get out of control. I created a standard unix script that walks me through the process using openssl command line parameters. Here is my first go at this script. I am using a Solaris Sparc server and the standard installation of Openssl on Solaris.



bash-3.00$ vi create_key_csr.sh
"create_key_csr.sh" 47 lines, 1561 characters
#/usr/bin/ksh -vx
#This script will create an apache keystore and csr file to be submitted to a CA
OPENSSL_DIR=/usr/sfw/bin #Verify this is correct on your system
SCRIPT_HOME=/opt/app/apache2/scripts #Could be any location you choose
KEYPASSWORD=xxxx
KEYPASSWORD2=yyy


#First create the keystore for the user
echo "Please provide the name of the keystore you want to create."
echo "The file should end with .key extension. "
read KEYSTORE
echo "Second enter the location where you want the keystore created: "
echo "Do not put a trailing slash and the location must exist. "
read DIRECTORY
echo "This is the location and name where the keystore will be created."
echo $DIRECTORY/$KEYSTORE


#echo "Choose a password for this private key store. This should be something y
ou never forget!"
while [ "$KEYPASSWORD" != "$KEYPASSWORD2" ]
do
echo "Choose a password for this private key store. This should be something yo
u never forget!"
stty -echo
read KEYPASSWORD
stty echo
echo "Verify Password:"
stty -echo
read KEYPASSWORD2
stty echo
done
echo "Key Password accepted."

$OPENSSL_DIR/openssl genrsa -des3 -passout pass:$KEYPASSWORD -out $DIRECTORY/$KEYSTORE 1024

#Encrypt output private key using 128 bit AES and the passphrase ``hello'':
# openssl genpkey -algoritm RSA -out key.pem -aes-128-cbc -pass pass:hello

############################################################################
#GENERATE CSR

#The openssl.cnf file contains your repeat values. I have certificates that have the same values #for most fields. Put the default values in your openssl.cnf file to store the defaults.
echo "What is the name of the Certificate Signing Request file?:"
read CSR
$OPENSSL_DIR/openssl req -new -config openssl.cnf -key $DIRECTORY/$KEYSTORE -out
$DIRECTORY/$CSR



exit

#There is no warranty on this script. If you see a problem let me know. It is an initial pass at #building a repeatable process for creating certificates.

When the script is completed you should have a key file, and a CSR file ready to give to any Certificate Authority.

No comments: