Is it possible to import the -subj from a text file openSSL?
Hi I'm trying to create a self signed certificate for a school project and I need to import the -subj fields from a .txt file.
What I have now is:
openssl req -new -newkey rsa:2048 -nodes -keyout key.key -out key.csr -subj "/C=US/ST=NY/L=NY/O=HW/CN=NAME"
Is it possible to import the file with a built in function using only one line of code?
openssl req -new -newkey rsa:2048 -nodes -keyout key.key -out key.csr -subj "filename.txt"
If not how should I approach this issue? I'm using simple batch files to create certificates
How about this?
openssl req -new -newkey rsa:2048 -nodes -keyout key.key -out key.csr -subj `cat filename.txt`
Related
For testing purposes, I need a revoked PEM certificate.
So I created a certificate:
Generate CSR & KEY: openssl req -new -newkey rsa:4096 -nodes -keyout test.key -out test.csr
Generate PEM and self-sign with KEY: openssl x509 -req -sha256 -days 365 -in test.csr -signkey test.key -out test.pem
When I try to revoke with openssl -revoke a get an error variable lookup failed
How can I revoke this certificate?
I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365
Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365
Background
I'm trying to run mongo locally in the same way that production will run, with full ssl verification enabled. Mongo is complaining about the certs being self-signed, but I'm specifying a ca.crt file, that I think should be treated as a root cert to validate against. If that's reasonable, then I think either my mongo config, or the cert generation is not correct.
SSL keys/certs/pem
To create the ssl stuff I'm running the following
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev#gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev#gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev#gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo DB config
The mongo config I'm then running with (inside docker), is the following. (Where /data/mongo is the location generated to above).
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
and running via
mongo --config config/location
Connecting to mongo
I then try to connect to the server using the mongo command line as follows.
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
And get the following output
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect#src/mongo/shell/mongo.js:229:14
#(connect):1:6
exception: connect failed
Got it! Basically it needed more data in the subject line, or CN needed to be ROOTCA for the CA. Anyone that could comment on why would be appreciated.
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Some related resources if anyone is having similar troubles
Answer was found/taken from
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication
https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
An stack exchange ticket almost identical to mine can also be found at
https://dba.stackexchange.com/questions/151251/mongodb-error-self-signed-certificate-in-certificate-chain?newreg=20bca440682842c085a8764dd7c91e96
My question is simply: What is the encoding of the .pem and .csr file created by openssl using this command:
openssl req -nodes -newkey rsa:2048 -keyout key.pem -out some.csr \
-subj "/C=XY/ST=UVW/L=SOMETOWN/O=STH/OU=STHELSE/CN=my.cert.test"
I do past some information from which i do not know if they are of importance for the answer of this question:
I am working on a xterm under x11. I have a up to date linux distribution (opensuse leap 42.2) and use openssl in my shell to create a csr file. I have a setting in my env XTERM_LOCALE=de_DE.UTF-8.
You can set encoding by passing -outform DER or -outform PEM where der is binary file and pem is in base64.
I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365
Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365