Shell Script to provide "answers" to SSL Cert Request

Shell Programming and Scripting
1

Hello,

I need assistance with creating a shell script to generate SSL Certificate Requests on remote hosts. Below is my stab at this, but I cannot figure out how to pass the requested arguments into the openssl command correctly. I have a major problem with redirecting the "answers" into the openssl cert request. "hostlist" would contain any hosts that need the certificate signed.

#!/bin/sh
#
Country=US
State=CA
City=San Jose
Organization=Engineering
Host=""
Email=" "
for i in `cat hostlist`
do
  Host="$i" 
  ssh $i "sudo openssl genrsa -rand -des3 -out /tmp/serverkey.$i 1024 -config /use/share/ssl/openssl.cnf"
  echo $Country > /tmp/cert-data
  echo $State >> /tmp/cert-data
  echo $City >> /tmp/cert-data
  echo $Organization >> /tmp/cert-data
  echo $Host >> /tmp/cert-data
  echo $Email >> /tmp/cert-data
  scp /tmp/cert-data certuser@$i:/tmp/cert-data
  ssh $i sudo openssl req -new -key /tmp/serverkey.$i -out /tmp/server.csr.$i -config /usr/share/ssl/openssl.cnf < /tmp/cert-data
done

Once I get that to work, I can scp the /tmp/serverkey.$i to my Cert Authority and sign it.

Thank You.

2

You can use "-batch" openssl option to avoid being prompted for values when generating CSR.

Generate CSR and KEY files on local system and scp them instead of running the command on a remote system. You may also modify your original script with commands provided to perform the tasks remotely if for some reason that is a requirement:

  • Save the below as openssl.cnf and edit the last section to match your requirements. In your FOR loop for each server you need to update the value of commonName_default to servers FQDN.
#-------------openssl.cnf----------------
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
# Variable name   Prompt string
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64


#-------------------Edit this section------------------------------
countryName_default     = US
stateOrProvinceName_default = CA
localityName_default        = San Francisco
0.organizationName_default  = example_company
organizationalUnitName_default  = Information Systems
commonName_default          = server_name
emailAddress_default            = admin@example.com
  • Generate key
openssl genrsa -out <hostname>.key 1024
  • Generate Certificate Signing Request
openssl req -new -nodes -key <hostname>.key -out <hostname>.csr -config openssl.cnf -batch
  • Copy CSR and KEY files
scp <hostname>.key certuser@hostname:/<path>
scp <hostname>.csr certuser@hostname:/<path>
  • Delete files from local system.
rm -f <hostname>.key
rm -f <hostname>.csr
3

Awesome yonix...batch mode kicked butt.

I had to create the following to dynamically update my openssl.cnf file for each host when generating my cert signing request (all of the $VARs are just locations to files and dirs):

for i in `cat $HOSTLIST`
do
  echo '======'
  echo "$i"
  /usr/local/bin/sudo sh -c " sed 's/commonName_default          = .*/commonName_default          = $i/g' $OPENSSLCNF > $SIGNREQS/tmpfile && /usr/local/bin/sudo mv $SIGNREQS/tmpfile $OPENSSLCNF"
  /usr/local/bin/sudo openssl req -new -nodes -key $CERTREQS/$i.key -out $SIGNREQS/$i.csr -config $OPENSSLCNF -batch
done

Also I used the "yes" command when running my signing script, as I didn't want to have to enter "y's" over and over.... like this:

   yes | /usr/local/bin/sudo ./sign-certreq

This worked out great. Thanks for the assistance.