LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Shell Script of Automating Client key generating (https://www.linuxquestions.org/questions/linux-server-73/shell-script-of-automating-client-key-generating-4175438704/)

akashdeep 11-25-2012 09:41 PM
Shell Script of Automating Client key generating
 
Hello Team,

I need a help in creating shell script for automating the generation of VPN client key for Open Vpn Server. The server is in configured on a Debian box.

There I can see lot of questions while I tried to create a client key such as

o Country Name [IN]:
o State or Province (full Name): MH:
o Locality Name [Mumbai]:
o Organization Name []:
o Organization Unit Name:
o Common name :
o Name []:
o Email Address:
o Please enter the following 'extra attributes to be sent with your certificate request
o A challenge password: <Any Random>
o An optional company name:
o Sign the certificate? [y/n]: <Enter ‘y’>
o 1out of 1 certificate requests certified, commit? [y/n] <Enter ‘y’>

All the answers of the above questions are stored in a file in the same order.

I would like to automate the process by executing a shell. Please help me to sort it out :)

Thanks in advance..

Berhanie 11-25-2012 10:32 PM
you could start by looking at the req man page. look in the EXAMPLES section for "Sample configuration containing all field values". the idea is that you start with a config file (e.g. user.cnf) which would have all the values (CN, emailAddress, etc.) filled in. then you'd run "openssl req -config /path/to/user.cnf" to generate a csr, which you'd need to sign according to your requirements. following this procedure would entail generating a config file for each user, because you'd probably want certs with the user identity in the CN, but req also allows you to specify values on the command line.

akashdeep 11-25-2012 11:46 PM
Quote:
Originally Posted by Berhanie (Post 4836955)
you could start by looking at the req man page. look in the EXAMPLES section for "Sample configuration containing all field values". the idea is that you start with a config file (e.g. user.cnf) which would have all the values (CN, emailAddress, etc.) filled in. then you'd run "openssl req -config /path/to/user.cnf" to generate a csr, which you'd need to sign according to your requirements. following this procedure would entail generating a config file for each user, because you'd probably want certs with the user identity in the CN, but req also allows you to specify values on the command line.
Hello Berhanie,

Thanks for the quick response, could you please elaborate the details, if you can add an example it would be grateful.

Berhanie 11-26-2012 01:44 AM
To read the examples i mentioned in the man page, you need to type
Code:
man req
But here is something you can try on the command line which does not require editing anything
Code:
openssl req -subj '/countryName=IN/stateOrProvinceName=MH/localityName=Mumbai/organizationName=mycompany/organizationalUnitName=IT Dept/commonName=Akashdeep Something/emailAddress=akashdeep@somewhere/' -new -nodes -newkey rsa:2048 -keyout akashdeep.key -out akashdeep.csr
This will generate a private key akashdeep.key and a csr (certificate signing request) akashdeep.csr. For openvpn, you will need some CA which signs all the user certs and the server cert. You'll have to read about setting up the CA* and using it to sign the CSRs, but everything can be automated. (*In fact, I think the self-signed cert you created in your first post is intended to be the CA cert).

By the way, you can see what's in your key and csr by using these commands:
Code:
openssl rsa -text -in akashdeep.key
Code:
openssl req -text -in akashdeep.csr
Also note that the procedure outlined above generates a non-encrypted key because of the nodes option.


All times are GMT -5. The time now is 09:22 AM.