Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Scripting openssl to generate many certificates without manually entering password?

I have created a certificate authority and need to generate and sign 50+ certificates. I wanted to script this process. I don't want to have to manually enter a password 100+ times!

Here is the command I was getting hung up on:

openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM

The problem is, it wants me to create a password with these prompts:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

When I am just being asked for a password to input I can use the -passin pass:mypass command line option for openssl. But this does not seem to work for creating a password.

Also, it seems strange that a password is required when later I just end up removing it with:

openssl rsa < tempkey.pem > server_key.pem

I tried creating a simple Ruby script:

require 'open3'

Open3.popen2("openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM") {|i,o,t|
    i.puts "mySecretPassword"
    i.puts "mySecretPassword"
}

But this does not seem to work either. I still end up with a manual prompt asking me to create a password.

like image 738
Michael Avatar asked Jan 14 '23 23:01

Michael


2 Answers

As explained in this answer you can use the -passout pass:foobar option to set a password via command line. For example:

openssl req \
  -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM \
  -out ~/myCA/tempreq.pem -outform PEM \
  -passout pass:foobar \
  -subj "/C=US/ST=Test/L=Test/O=Test/CN=localhost"
like image 141
Fernando Correia Avatar answered Jan 22 '23 10:01

Fernando Correia


The problem is most of utilities that expects a password do require interactive terminal. So if you try to fake it (like you did with a Ruby script) it will not work. You could also try:

echo -n "pass\npass\n" | openssl req ....

While this will work with some programs, those what require interative shell will not work.

You are searching for the tool called expect. Install it on your UNIX/Linux/MacOS and see the man page:

man expect
...
Expect is a program that "talks" to other interactive programs according to a script.  Following the script, Expect
knows what can be expected from a program and what the correct response should be.  An  interpreted  language  pro‐
vides  branching  and high-level control structures to direct the dialogue.  In addition, the user can take control
and interact directly when desired, afterward returning control to the script.
...

You need to create "expect script", it really depends on your environment - what the application is asking for. If it is only a passwords, it should be simple. Here is more complex example: http://fixunix.com/openssl/159046-expect-script-doesnt-create-newreq-pem.html

I think this should work (you will maybe need to change it a bit):

#!/usr/bin/expect -f
spawn -console openssl req blah blah blah blah
expect "Enter PEM pass phrase:*" {send "password\r"}
expect "Verifying - Enter PEM pass phrase:*" {send "password\r"}

Good luck!

like image 45
lzap Avatar answered Jan 22 '23 10:01

lzap