[openssl-users] scripting creating a cert

Robert Moskowitz rgm at htt-consult.com
Mon Mar 13 21:26:29 UTC 2017 

Viktor,

On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:
>> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>
>>>    $ umask 077 # avoid world-readable private keys
>> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>>
>> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
> I strive to avoid the private disclosure race of first creating
> a world-readable file, and then trying to do a quick chmod before
> the bad guys get around to opening it.  That's why I recommend the
> umask approach.
>
> You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
> if I recall correctly "keyout" files and the like are automatically
> opened mode "0600". Rich Salz, who wrote the CLI option processing
> code for 1.1.0 will correct me, if my memory if faulty.  There are
> still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
> always figure out which files end up having private keys in them,
> so the umask approach is a good precaution to keep using.

Rich got me some help and I have put the following together:

Set the following variables:

countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld

Then the following commands create the certs:

restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=localhost

openssl req -new -outform PEM -out certs/$commonName.crt -newkey 
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 
-x509 -extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
$restore_mask

More information about the openssl-users mailing list