hey all,

I am trying to write a script for generating a CA and having it sign a new key. but there are menus. which are standing in the way of scripting it. Could you help me script it out?

The steps that I am trying to script are:

[12:19 username@kennel03 mir]$ openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
............................+++
e is 65537 (0x10001)
[12:19 username@kennel03 mir]$ openssl req -x509 -new -nodes -key rootCA.key -days 3650 -sha256 -out rootCA.pemYou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Wisconsin
Locality Name (eg, city) [Default City]:Madison
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:kennel03
Email Address []:
[12:20 username@kennel03 mir]$ ls
rootCA.key rootCA.pem
[12:20 username@kennel03 mir]$ openssl genrsa -aes256 -out kennel03.key 2048
Generating RSA private key, 2048 bit long modulus
.....................+++
...................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for kennel03.key:
Verifying - Enter pass phrase for kennel03.key:
[12:21 username@kennel03 mir]$ openssl req -new -key kennel03.key -out kennel03.csr
Enter pass phrase for kennel03.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Wisconsin
Locality Name (eg, city) [Default City]:Madison
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Kennel03
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[12:22 username@kennel03 mir]$ ls
kennel03.csr kennel03.key rootCA.key rootCA.pem
[12:22 username@kennel03 mir]$ openssl x509 -req -in kennel03.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out kennel03.crt -days 3650 -sha256
Signature ok
subject=/C=US/ST=Wisconsin/L=Madison/O=Default Company Ltd/CN=Kennel03
Getting CA Private Key

I haven't done it myself but it appears you can disable prompt so it takes values from the configuration files.

If you do "man openssl" and go to "SEE ALSO" section you'll see that many of the things you do have their own man pages. This includes the "req" you're doing in your second command. If you do "man req" you'll see where it talks about prompt being set to no and has a discussion of the distinguished name.

Alternatively you could install "expect" and use it to wait for the prompts and provide answers. (Expect can be used with most interactive sessions.) However, were it me I'd investigate the no prompt facility of openssl first.

1 members found this post helpful.