HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Custom Email Address for SSL Certificate Generation (http://www.howtoforge.com/forums/showthread.php?t=34271)

doughold 28th April 2009 23:25

Custom Email Address for SSL Certificate Generation
 
I am trying to generate an ssl cert for www.domain.com and the email is defaulting to user@www.domain.com in the csr. Is there any way to change this so that I can specify what email address is used in the CSR?

tebokkel 29th April 2009 10:34

I use this for self-signed certificates.
Alternative: get identified by CACert and get certificates there.

(not: accidently I used cacert as name for my own CA, it's the CA certificate after all.. ;) )

Code:

pizza CA # ls -l
total 64
-r-------- 1 root root 1513 Jul 29  2007 cacert.pem
-rw-r--r-- 1 root root 2800 Dec 13 13:50 cert.pem
-rw-r--r-- 1 root root  239 Dec 13 13:50 index.txt
-rw-r--r-- 1 root root  20 Dec 13 13:50 index.txt.attr
-rw-r--r-- 1 root root  21 Jul 29  2007 index.txt.attr.old
-rw-r--r-- 1 root root  117 Jul 29  2007 index.txt.old
-rwxr-xr-x 1 root root  237 Jul 29  2007 makeCSR.sh
drwxr-xr-x 2 root root 4096 Dec 13 13:50 newcerts
-rw-r--r-- 1 root root 2075 Jul 29  2007 openssl.cnf
dr-x------ 2 root root 4096 Nov 13 16:32 private
drwxr-xr-x 2 root root 4096 Dec 13 13:50 public
-rwxr-xr-x 1 root root  358 Jul 29  2007 renew.sh
drwxr-xr-x 2 root root 4096 Nov 13 16:32 requests
-rw-r--r-- 1 root root    3 Dec 13 13:50 serial
-rw-r--r-- 1 root root    3 Jul 29  2007 serial.old
-rwxr-xr-x 1 root root  426 Jul 29  2007 signCSR.sh

pizza CA # cat openssl.cnf
#
# OpenSSL configuration file.
#
#
# Establish working directory.
dir = .

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
# Variable name  Prompt string
#----------------------  ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name  Value
#------------------------------  ------------------------------
0.organizationName_default = Ingenieursbureau Te Bokkel
organizationalUnitName_default = System Administration
localityName_default = Apeldoorn
stateOrProvinceName_default = Gelderland
countryName_default = NL
emailAddress_default = hostmaster@tebokkel.com

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
distinguished_name = req_distinguished_name
req_extensions = v3_req


pizza CA # cat makeCSR.sh
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -z "$2" ]; then
        openssl req -new -nodes -keyout private/$1.key -out requests/$1.csr -config ./openssl.cnf
else
        echo "Usage: $0 host.domain.tld"
        exit 1
fi


pizza CA # cat signCSR.sh
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -r "requests/$1.csr" ]; then
        openssl ca -out cert.pem -config ./openssl.cnf -infiles requests/$1.csr
        if [ $? -eq 0 ]; then
                openssl x509 -in cert.pem -out public/$1.crt.pem
                echo "Succesfull! Please take private/$1.key.pem and public/$1.crt.pem"
        fi
else
        echo "Usage: $0 host.domain.tld"
        echo "(CSR should exist in requests directory)"
fi


pizza CA # cat renew.sh
#!/bin/sh

if [ "$1" -a -r "public/$1.crt.pem" ]; then
        openssl ca -revoke public/$1.crt.pem -config ./openssl.cnf
        if [ $? -eq 0 ]; then
                echo
                echo "Revoked, now signing a new certificate!"
                echo
                ./signCSR.sh $@
        else
                echo "Revocation failed. Aborting.."
                exit 1
        fi
else
        echo "Usage: $0 host.domain.tld for which a certificate exists"
        exit 1
fi
pizza CA #


tebokkel 29th April 2009 10:38

BTW, the answer to your question is in the emailAddress_default line in the openssl.cnf.
I just dumped all scripts that work together with it..

Paul

doughold 1st May 2009 00:45

Thanks for the script, I'll keep it in my repertoire. However, I probably should have made myself more clear in that I am getting a cert from Godaddy and I don't want to self-sign it. Is there a reason that this option isn't available in the UI of ISPConfig?

till 1st May 2009 12:01

If you want to make a feature request for this then please post it as feature request to the bugtracker.


All times are GMT +2. The time now is 02:53.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.