openssl Archive

Automation of Open SSL CSR(Certificate Sign Request) creation

As part of my Job routine I need to create CSR for various new sites we maintain and mail them to CA. Creation of CSR is a two step process, first we create a key which is simple one line command and then we create the CSR. For the second step we need to enter some information regarding the certificate we are requesting CA authority to sign.  Generally I paste this information during creation of CSR, but one day I had to create appx 5-6 certificates at once , at this instance I didn’t feel that copying and pasting this information was best way to create CSR and more over its error prone.

So I had done some research on this issue and was able to find a solution. Basically we need to create a “conf” file and  pass this “conf” file for the command “openssl req” using “-config” option.

Below I have two solutions to fix this issue.

Prequisites :-

  • Installation of “openssl” tool.
  • “uuencode” and “mailx” if you want to send mails using the second “solution2”.

Note :- Code can be downloaded at “http://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASCreateSSL1.zip”.

Solution 1:-

This is a simple solution.  In this we create a “conf” file where we update all the required details and then execute “openssl req” command. Please find the attached ‘vasSSLTest.conf’.

==================================

dir = .
siteName = vastestapp.com

[ req ]
default_bits = 2048
default_keyfile = ${siteName}.key
distinguished_name = req_distinguished_name
prompt = no
output_password = <Password for the key file>

[ req_distinguished_name ]
C = US
ST = CA
L = SFO
O = VAS Techbology
OU = VAS IT
CN = ${siteName}

==================================

Explanation :-

dir :- Value for this variable is “.” Basically we are asking the tool to create the “key” and “csr” in the current directory from where we are executing the command “openssl req”.

siteName :- Value for this variable is “vastestapp.com”. This is the site for which we are creating the CSR request.

[req] :- Block. This block contains all the information required for “req” command option.

default_bits :- Value for this field is “1024”. Specifies the keysize in bits. In this example we are creating a key with “2048”.

distinguished_name :- Value for this field is “req_distinguished_name”. Basically this value is pointer to the block “req_distinguished_name”  which defines all the variables values such as “C,ST,L,O,OU,CN”.

prompt :- Value for this field is “no”.  If set to “no” disables prompting of certificate fields, all values will be taken from “conf” file.

output_password :- Value for this field is “<Password you want to secure your certificate with>”.

req_distinguished_name :- In this block, we define information related to distinguished name, which will used by CA authority to sign the CSR.

C :- Country

ST :- State.

L :- Location

O :- Organization

OU :- Organization Unit

CN :- Common Name( Here we provide the ‘siteName’). In this case the site name is ‘vastestapp.com’.

Once you define the ‘conf’ file as above. You just need to execute the below command to create the ‘CSR’ and ‘KEY” file.

openssl req -new -config <Config File Name> -out <CSR File Name>

Config File Name :- we will provide the ‘conf’ file which we just created.

CSR File Name :- This is where the output of  ‘openssl req’ is store. Basically this is the CSR file we will be sending to CA authority.

Solution 2:-

This solution is basically extension of ‘solution 1’. Basically we will be using same command ‘openssl req’ but we are just building ‘wrapper’ shell script for this command.

You can download the code at “http://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASCreateSSL1.zip”.

OverView :-

Basically when we execute this script, it creates a new ‘conf’ file for the new site, creates the ‘key’ file, creates the ‘CSR’ file and finally mails the ‘CSR’ to e-mail addresses mentioned in the ‘ksh’ script.

The attached zip file contains 4 files

1) vasSSLTest.conf :- This file is a template file. Basically we will creating a ‘conf’ for the new site by copying this file and then replace the variable values ‘APPNAME’, ‘SITENAME’,’ENV’ with the values defined in ‘vasSite.properties’.

2) vasSite.properties :- In this file we define all the properties related to new site, for which we are creating the CSR.

appname=vasTestApp
sitename=vastestapp.com
env=prod

3) VASCreateCSR.ksh :- This is the main engine. This ‘ksh’ script contains all the logic, to create new CSR and mail it you. Basically it has following important blocks. Check the attached zip for more details.

define variables.

define various functions and call various functions.

Execute ‘openssl req’ command.

Mail the CSR.

4) vasEMail.conf :-This is E-Mail template file, which can be edited as per individuals requirement.

5) VASCreateCSRScriptExplanation.txt :- This is a plain text file which explains the logic of the “VASCreateCSR.ksh” in brief.

Execution :-

chmod 700 VASCreateCSR.ksh

./VASCreateCSR.ksh vasSite.properties

Note :- I had tested the script in “Korn” shell and it works perfectly for me.  If any one finds an issue, Please comment, I will try to fix the issue.

Validation :-

1) We can test the ‘CSR’ which had been created at the site ‘http://www.thawte.nl/en/support/test+your+csr/’.

2) We can also check if the password for key is working by entering the command “openssl rsa -in vastestapp.com.key -check”. Enter the password which you have entered for the variable “output_password” in “vasSSLTest.conf”.

References :-

As you usual, my most favorite website(Google) has solution for every issue. Entire solution for this issue is based on research from sites returned by Google. If I had missed any site, please comment, I will be adding the site to the references. I apologize in advance for not mentioning the site in ‘references’, this was done unintentionally.

Google.com :- Search words ‘openssl conf’

https://www.sit.auckland.ac.nz/Automating_CSR_creation

http://www.openssl.org/docs/apps/req.html#

Thanks,

Weblogic-Wonders Team

Dream, Learn, Share and Inspire !

Disclaimer :-

This script is not the best solution, we can write better, elegant script than this but this is just an example to solve the issue I had faced. Any suggestions/comments regarding this scripts are welcome.