Self-signing a certificate... quickly

I've been using SSL/TLS certs for a long, long time - I've even had to re-issue my personal CA cert after it expired after 5 years. However, every time I've issued a self signed cert for an internal site, openssl prompted me interactively for the Country, State, Locality, etc. etc. blah, blah, blah. The lack of automation was exceptionally annoying. I knew the defaults could be customized so that only the Common Name would have to be entered, but that wasn't enough. The openssl req manual page has a non-working example of a config file that shouldn't prompt (Sample configuration containing all field values) but it doesn't work. After spending considerable time trying to craft a custom, template openssl.cnf file today, I finally found a blog post that mentions the -subj argument that completes the certificate request without any prompting. The only prompting now done is for the rsa command if you're encrypting your keyfile. And of course, this can be automated with the -passin arg, if needed. Here is a full example:
# FQDN of SSL/TLS site

# preflight
ST="New York"
L="New York"
O="Example.com Inc."
OU="Systems Team"

# create a private key
openssl genrsa -out ${CN}.key 2048
# create a certificate request
openssl req \
-new \
-subj "/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=$CN/emailAddress=$emailAddress" \
-key ${CN}.key \
-out ${CN}.csr
# create cert
openssl x509 -req -days 3650 -in ${CN}.csr -signkey ${CN}.key -out ${CN}.crt

# optional - encrypt key
# move key
mv ${CN}.key ${CN}.key.plain
# encrypt key
# (add '-passin pass:password' or '-passin file:pathname' for no prompting)
# see openssl(1) manpage
openssl rsa -des3 -in ${CN}.key.plain -out ${CN}.key.crypt
# rename key
mv ${CN}.key.crypt ${CN}.key
# clean up
rm ${CN}.key.plain

No comments:

Ratings and Recommendations by outbrain