[openssl-users] scripting creating a cert
Robert Moskowitz
rgm at htt-consult.com
Mon Mar 13 21:26:29 UTC 2017
Viktor,
On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:
>> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>
>>> $ umask 077 # avoid world-readable private keys
>> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>>
>> chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs)
> I strive to avoid the private disclosure race of first creating
> a world-readable file, and then trying to do a quick chmod before
> the bad guys get around to opening it. That's why I recommend the
> umask approach.
>
> You can adjust the umask to suit your needs. With OpenSSL 1.1.0,
> if I recall correctly "keyout" files and the like are automatically
> opened mode "0600". Rich Salz, who wrote the CLI option processing
> code for 1.1.0 will correct me, if my memory if faulty. There are
> still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
> always figure out which files end up having private keys in them,
> so the umask approach is a good precaution to keep using.
Rich got me some help and I have put the following together:
Set the following variables:
countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld
Then the following commands create the certs:
restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
commonName=localhost
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
$restore_mask
More information about the openssl-users
mailing list