I have several hundred testing virtual-hosts on a private server. I need to automatically generate self-signed SSL certificates for each of them, but I'm running into a problem: "Enter PEM Pass Phrase."
I do not want a pass phrase. I do not want to enter a pass phrase a hundred times. (And the "-passin pass:blah" option appears to do nothing... I am still prompted.)
Furthermore, each key must correspond to the virtual-host name ("/CN=blah") to which it will eventually be placed.
So, I have an immediate need for "somebody's script that does this." Help!!
Well, how about that ... I think I just answered my own question!
The command-line parameter I needed was "-passout," not "-passin."
-pass"out" defines the "output password source," and this apparently qualifies as an "output password."
-pass"in" defines the "input password source," but there is no such thing in this case. The option is ignored.
And the next thing you need to do, of course, is to remove the key.
So, the sequence of commands that I believe will do the job is:
(1) Create the key, with a dummy password, e.g.:
openssl req -x509 -newkey rsa:2048 -keyout my.pass.key -out my.crt -days 365 -subj "/C=US/ST=State/L=City/O=company/OU=Com/CN=www.testserver.local" -passout pass:ABCDABCD
(2) Now generate a password-free key:
openssl rsa -in my.pass.key -out my.key -passin pass:ABCDABCD
(3) "Kill the spare" ...
rm my.pass.key
Related
Sometimes I test an SSL website on my local machine. I was tired to use a self-signed certificate and add them to my KeyChain on Mac (Browser or other OS). Moreover, Chrome always complains about them. Moreover, this approach was a bit different from the one used in production.
I found this article very useful where you create once your own CA root certificate, add it once to your keychain and then you use the CA private key to sign thousands of SSL test certificate for my local websites.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
The tutorial works great but I would like to automate it. For the CA root certificate it was easy, I simply used the option -subj like this:
openssl req -x509 -new -nodes -key /certs/myCA.key -sha256 -days 1825 -subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_CITY/O=$CA_ORGANIZATION/CN=$CA_COMMON_NAME" -out /certs/myCA2.pem
where the environment variable (CA_COUNTRY, CA_STATE, CA_CITY, CA_ORGANIZATION, CA_COMMON_NAME) are read from an external file.
However, when I tried to replicate the same thing for the website certificate I wasn't able to get the same result. The command is this:
openssl x509 -req -in dev.deliciousbrains.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.deliciousbrains.com.crt -days 825 -sha256 -extfile dev.deliciousbrains.com.ext
It seems that the -subj option doesn't work. Is there a way to pass the info above to this command and avoid interactive questions?
The command you show openssl x509 -req -CA/-CAkey ... does not ask any questions except the key password if there is one (which if you followed the instructions at the linked page there is). It is the preceding command to create the CSR openssl req -new that prompts for the subject name, and for that (like the command for creating the CA cert which is also req but with -x509 -- note -x509 is not the same as x509) you can use -subj. The statement on that page that "your answers don’t matter" isn't quite correct; it is true that when you use SubjectAlternativeName in the leaf cert, as that page advises/directs, the value of Subject is ignored for (at least) HTTPS server identification, but it must (still) be different from the name used for the CA to allow certificate validation to work. Standards allow the Subject name in a leaf cert to be empty when SAN is used (and empty is always different from nonempty and a nonempty name is required in the CA cert) but OpenSSL doesn't handle that case.
I have one confusion while generating CSR and key file.
My domain name is like www.abc.example
I have to run command like that on terminal:
openssl req -new -newkey rsa:2048 -nodes -keyout abc.key -out abc.csr
or
openssl req -new -newkey rsa:2048 -nodes -keyout abc.example.key -out abc.example.csr
?
The filenames have no consequences on the result, you can name them whatever you want.
Even the extensions are just conventions to make human life simpler.
You just need to make sure of course that all applications using them will use their proper name.
My personal advice would be to use the full domain name in the filename, especially if you have to maintain many different certificates (in which case you may need to handle certificates for both example.com and example.net at the same time if they are two different certificates, you will need the TLD in the filename to discriminate between them).
I'm trying to install an SSL certificate on XAMPP, Windows 10 but no matter what I do I get this error:
22632:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 511 characters
22632:error:0906406D:PEM routines:PEM_def_callback:problems getting password:.\crypto\pem\pem_lib.c:116:
22632:error:0907E06F:PEM routines:DO_PK8PKEY:read key:.\crypto\pem\pem_pk8.c:130:
unable to load Private Key
18224:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:707:Expecting: ANY PRIVATE KEY
server.csr: No such file or directory
Could Not Find c:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.
Press any key to continue . . .
makecert.bat:
#echo off
set OPENSSL_CONF=./conf/openssl.cnf
if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr
move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key
pause
It looks like server.crt, server.csr, and server.key were created and they sit in the conf/sll... as stated in makecert.bat , I have also tried other passwords with no success.
Setting set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf didn't help either, nor did changing openssl.cnf to openssl.cfg (like some people suggest on other related SO questions).
I'm spamming google with this question for hours and no Stack Overflow answers seemed to help either.
EDIT: Adding an image to show that this issue is happening even with a completely new pem file. (the pem file name was changed to privkey77.pem by me for testing purposes, I get the same error obviously).
png
EDIT #2: Even creating a new key with password with openssl genrsa -des3 -out mykey.pem 2048 returns: 27492:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 1023 characters.
So I basically cannot create pem files with passwords for some reason.
Can anyone please help?
I've managed to avoid this error by passing the -nodes arg to the line that triggers the error, as suggested here.
My makecert.bat file, in line 7, looks like this:
bin\openssl req -new -out server.csr -nodes
This parameter disables the authentication completely. I don't know if this had any side effects in the certificate, since I haven't managed to make it work and I don't know why. (Maybe is because of this, or maybe is something else)
I am needing to automate the generation of self signed SSL certificates for testing purposes for a project. I am generating a certificate and key using the following OpenSSL command:
> openssl req -x509 -newkey rsa:2048 -keyout myserver.key -out myserver.crt -subj "/C=US/ST=California/L=San Diego/O=Development/OU=Dev/CN=example.com"
During generation you are prompted to create a PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
How can I automate this? I have tried the -passin argument like this:
openssl ...... -passin pass:foobar .....
also
openssl ...... -passin file:secretfile.txt .....
But in both cases it still asks for to create a PEM pass phrase. From what I read I think that passin is only adding a password to the key file...
Is it possible to automate this somehow?
The process creates a password protected key file. It thus needs a password which gets used to store this output file. But the -passin argument you use is for reading an input file. From the documentation:
-passin arg - the input file password source
Instead you need the proper option to specify the output password, i.e.
-passout arg - the output file password source
As I don't know the openssl command's arguments by heart, I am used to referring to the same SO answer whenever I need to create self-signed certificates (for testing environments). The command looks like:
openssl req -x509 -nodes -newkey rsa:2048 -keyout mysite.key -out mysite.crt -days 365
And it usually works, for instance on my current Ubuntu 15.10. Today I'm on a fresh install of Debian Jessie and it doesn't. Apache warns at startup that:
[ssl:warn] [pid 1040] AH01906: www.mysite.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
I looked for a solution to the problem and found an answer in a linux forum stating that the following should be used instead:
openssl genrsa -des3 -passout pass:x -out mysite.pass.key 2048
openssl rsa -passin pass:x -in mysite.pass.key -out mysite.key
openssl req -new -key mysite.key -out mysite.csr
openssl x509 -req -days 365 -in mysite.csr -signkey mysite.key -out mysite.crt
And it's true, this way the Apache warning disappears.
As far as I understand, this creates a passphrase-protected key, then removes the passphrase, then creates a CSR, then generates the certificate with both the CSR and the key.
So the question is: what does this longer version do that the shorter doesn't, and why is it necessary in some cases (like today for me)?
Short way (e.g. with OpenSSL 1.1.0f and Apache 2.4.37):
openssl genrsa -out notEncodedPk.key 3072
openssl req -new -out website.csr -sha256 -key notEncodedPk.key
openssl x509 -req -in website.csr -days 365 -signkey notEncodedPk.key -out website.cert -outform PEM
genrsa generates a 3072 bit RSA-Key. (The system should be online for some time to have good data in /dev/(u)random for seeding.) There is no need to generate an encrypted PK (1) and then use rsa to remove the password afterwards. (Maybe earlier versions of the tools required a password?)
req creates the certificate signing request and uses the PK for the signature. Providing something like -sha256 for the digest is optional. (3) Provide your infos in the interactive questionare. Ensure to put your site domain in "Common name:", otherwise the Apache will throw a warning (AH01909) and browsers will throw an "invalid certificate" message because the URL/domain does not match the certificate data (2). Leave "A challange password:" empty.
Use x509 to create a self-signed certificate with -signkey (the subject is copied to issuer). Normally the command works on certificates but with -req it accepts a CSR as an input. Then use your PK for signing the certificate. (-outform and -days are optional, with 30 days as the default value for the latter.)
Problem source:
As user207421 already stated: req creates a CSR OR it creates a self-signed root-CA-like certificate, therefore the typical tutorial tip
openssl req -x509 -nodes -days 365 -newkey rsa:3072 -sha256 -keyout website.key -out website.cert
is short but normally not what you want. You can also compare created certificates with
openssl x509 -text -noout -in website.cert
In the certificate, created with the single-line command, you see a section "X509v3 extensions:" with "X509v3 Basic Constraints: critical CA:TRUE". This is exactly the Apache warning message.
Instead, if you create the certificate with the three steps, the "X509v3 extensions:" section is not included into the certificate.
Appendix:
(1) Securing the PK with a password is a good idea in most cases. If the PK is stored without encryption, make sure to restrict access to root. If you use a password, you have to use the -passout/-passin options, but be aware that a simple "x" does not work anymore because some OpenSSL tools require at least 4 characters (otherwise: "result too small/bad password read"). Additionally in Apache you have to use something like SSLPassPhraseDialog buildin to manually enter the required password for the PK (or even for all PKs/certs) during Apache startup.
(2) Anyway, browsers will display a warning for self-signed certificates.
(3) Using SHA-1 would be inadequate for such a large RSA-key. In general, it is a good idea to review your openssl.conf, e.g. in Debian 9 in /etc/ssl/openssl.conf, which contains various defaults, for example signer_digest = sha256.
In the Debian 9 file, you also find in the [req] section a line x509_extensions=v3_ca and this is the reason, why the req command in combination with the -x509 option adds the CA-related extension (basicContraints=critical,CA:true), if used in the single-line style to create a self-signed certificate.
Addidionally you might notice a comment-line # req_extensions=v3_req. Because this line is commented out (in Debian 9 default openssl.cnf), the simple usage of the req command does not include any extensions.
Note that you might use this line in a modified file to add Subject Alternative Name's to the certificate, e.g. so it can handle multiple (sub-)domains (normally a much better choice than using e wildcard in CN, e.g. *.example.com).
complete CA and SSL creation / setup help:
I created my own CA cert and used it to load into browser (as CA authority) and sign my self-created SSL cert for my Apache_on_ubuntu website.
steps:
generate my CA private key:
# openssl genrsa -des3 -out /etc/ssl/private/myCA.key 2048
generate root certificate: *****send myCA.pem to all desktop/client browsers.
# openssl req -x509 -days 5475 -new -nodes -key /etc/ssl/private/myCA.key -sha256 -out /etc/ssl/certs/myCA.pem
Install the root CA in firefox. (cp myCA.pem to windows box)
in firefox: options -> privacy_&_security -> view_certificates -> certificate_manager -> Authorities -> import
Creating CA-Signed Certificates for Your Sites
4.1: create website private key:
# openssl genrsa -out /etc/ssl/private/www.mywebsite.com.key 2048
4.2: create website CSR: Note: answers don’t need to match the CA cert ans.
# openssl req -new -key /etc/ssl/private/www.mywebsite.com.key -out /etc/ssl/private/www.mywebsite.com.csr
4.3: Create config file: config file is needed to define the Subject Alternative Name (SAN) extension. "method to match a domain name against a certificate – using the available names within the subjectAlternativeName extension"
# vi /etc/ssl/private/www.mywebsite.com.ext
...............I have not used the ext file option.....(for hosting multiple SSL sites and certs on same host)
4.4: Create the certificate:
# openssl x509 -req -in /etc/ssl/private/www.mywebsite.com.csr -CA /etc/ssl/certs/myCA.pem -CAkey /etc/ssl/private/myCA.key -CAcreateserial -out /etc/ssl/certs/www.mywebsite.com.crt -days 5475 -sha256
create ssl-conf file:
# cat /etc/apache2/conf-available/ssl-params.conf
# modern configuration, tweak to your needs
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
restart apache:
# systemctl restart apache2
Figure out which openssl.cnf you are using.
Select the correct section name that is doing your request.
Take out the CA:TRUE part (or change it to CA:FALSE) from the basicConstraint in the openssl.cnf that you are using.
Recreate the certificate the exact same way you did.
Your Apache webserver will no longer see a CA, much less a self-signed CA but just an ordinary self-signed certificate.
I had the same problem just today on Debian 9 stretch and I tried your solution to generate a new certificate using your method and it did not work. The warning in Apache was exactly the same.
I found out that the problem was that in my browser were stored other 6 certificates with the same FQDN. I erased the certificates and the problem has gone.
EDIT: Well, there's still the warning actually but at least everything is working.
openssl req creates a CSR or a CA root certificate. See the man page. It is not what you want. The second set of steps is correct.