I need assistance with creating a shell script to generate SSL Certificate Requests on remote hosts. Below is my stab at this, but I cannot figure out how to pass the requested arguments into the openssl command correctly. I have a major problem with redirecting the "answers" into the openssl cert request. "hostlist" would contain any hosts that need the certificate signed.
You can use "-batch" openssl option to avoid being prompted for values when generating CSR.
Generate CSR and KEY files on local system and scp them instead of running the command on a remote system. You may also modify your original script with commands provided to perform the tasks remotely if for some reason that is a requirement:
Save the below as openssl.cnf and edit the last section to match your requirements. In your FOR loop for each server you need to update the value of commonName_default to servers FQDN.
#-------------openssl.cnf----------------
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
#-------------------Edit this section------------------------------
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
0.organizationName_default = example_company
organizationalUnitName_default = Information Systems
commonName_default = server_name
emailAddress_default = admin@example.com
I had to create the following to dynamically update my openssl.cnf file for each host when generating my cert signing request (all of the $VARs are just locations to files and dirs):
for i in `cat $HOSTLIST`
do
echo '======'
echo "$i"
/usr/local/bin/sudo sh -c " sed 's/commonName_default = .*/commonName_default = $i/g' $OPENSSLCNF > $SIGNREQS/tmpfile && /usr/local/bin/sudo mv $SIGNREQS/tmpfile $OPENSSLCNF"
/usr/local/bin/sudo openssl req -new -nodes -key $CERTREQS/$i.key -out $SIGNREQS/$i.csr -config $OPENSSLCNF -batch
done
Also I used the "yes" command when running my signing script, as I didn't want to have to enter "y's" over and over.... like this: