Shell Script of Automating Client key generating

akashdeep · 11-25-2012, 09:41 PM

Hello Team,

I need a help in creating shell script for automating the generation of VPN client key for Open Vpn Server. The server is in configured on a Debian box.

There I can see lot of questions while I tried to create a client key such as

o Country Name [IN]:
o State or Province (full Name): MH:
o Locality Name [Mumbai]:
o Organization Name []:
o Organization Unit Name:
o Common name :
o Name []:
o Email Address:
o Please enter the following 'extra attributes to be sent with your certificate request
o A challenge password: <Any Random>
o An optional company name:
o Sign the certificate? [y/n]: <Enter ‘y’>
o 1out of 1 certificate requests certified, commit? [y/n] <Enter ‘y’>

All the answers of the above questions are stored in a file in the same order.

I would like to automate the process by executing a shell. Please help me to sort it out

Thanks in advance..

Berhanie · 11-25-2012, 10:32 PM

you could start by looking at the req man page. look in the EXAMPLES section for "Sample configuration containing all field values". the idea is that you start with a config file (e.g. user.cnf) which would have all the values (CN, emailAddress, etc.) filled in. then you'd run "openssl req -config /path/to/user.cnf" to generate a csr, which you'd need to sign according to your requirements. following this procedure would entail generating a config file for each user, because you'd probably want certs with the user identity in the CN, but req also allows you to specify values on the command line.

akashdeep · 11-25-2012, 11:46 PM

Quote:

Originally Posted by Berhanie

you could start by looking at the req man page. look in the EXAMPLES section for "Sample configuration containing all field values". the idea is that you start with a config file (e.g. user.cnf) which would have all the values (CN, emailAddress, etc.) filled in. then you'd run "openssl req -config /path/to/user.cnf" to generate a csr, which you'd need to sign according to your requirements. following this procedure would entail generating a config file for each user, because you'd probably want certs with the user identity in the CN, but req also allows you to specify values on the command line.

Hello Berhanie,

Thanks for the quick response, could you please elaborate the details, if you can add an example it would be grateful.

Berhanie · 11-26-2012, 01:44 AM

To read the examples i mentioned in the man page, you need to type

Code:

man req

But here is something you can try on the command line which does not require editing anything

Code:

openssl req -subj '/countryName=IN/stateOrProvinceName=MH/localityName=Mumbai/organizationName=mycompany/organizationalUnitName=IT Dept/commonName=Akashdeep Something/emailAddress=akashdeep@somewhere/' -new -nodes -newkey rsa:2048 -keyout akashdeep.key -out akashdeep.csr

This will generate a private key akashdeep.key and a csr (certificate signing request) akashdeep.csr. For openvpn, you will need some CA which signs all the user certs and the server cert. You'll have to read about setting up the CA* and using it to sign the CSRs, but everything can be automated. (*In fact, I think the self-signed cert you created in your first post is intended to be the CA cert).

By the way, you can see what's in your key and csr by using these commands:

Code:

openssl rsa -text -in akashdeep.key

Code:

openssl req -text -in akashdeep.csr

Also note that the procedure outlined above generates a non-encrypted key because of the nodes option.