Custom Email Address for SSL Certificate Generation

Discussion in 'Installation/Configuration' started by doughold, Apr 28, 2009.

  1. doughold

    doughold New Member

  2. tebokkel

    tebokkel New Member

    I use this for self-signed certificates.
    Alternative: get identified by CACert and get certificates there.

    (not: accidently I used cacert as name for my own CA, it's the CA certificate after all.. ;) )

    Code:
    pizza CA # ls -l
    total 64
    -r-------- 1 root root 1513 Jul 29  2007 cacert.pem
    -rw-r--r-- 1 root root 2800 Dec 13 13:50 cert.pem
    -rw-r--r-- 1 root root  239 Dec 13 13:50 index.txt
    -rw-r--r-- 1 root root   20 Dec 13 13:50 index.txt.attr
    -rw-r--r-- 1 root root   21 Jul 29  2007 index.txt.attr.old
    -rw-r--r-- 1 root root  117 Jul 29  2007 index.txt.old
    -rwxr-xr-x 1 root root  237 Jul 29  2007 makeCSR.sh
    drwxr-xr-x 2 root root 4096 Dec 13 13:50 newcerts
    -rw-r--r-- 1 root root 2075 Jul 29  2007 openssl.cnf
    dr-x------ 2 root root 4096 Nov 13 16:32 private
    drwxr-xr-x 2 root root 4096 Dec 13 13:50 public
    -rwxr-xr-x 1 root root  358 Jul 29  2007 renew.sh
    drwxr-xr-x 2 root root 4096 Nov 13 16:32 requests
    -rw-r--r-- 1 root root    3 Dec 13 13:50 serial
    -rw-r--r-- 1 root root    3 Jul 29  2007 serial.old
    -rwxr-xr-x 1 root root  426 Jul 29  2007 signCSR.sh
    
    pizza CA # cat openssl.cnf 
    # 
    # OpenSSL configuration file. 
    #
    #
    # Establish working directory. 
    dir = . 
    
    [ ca ] 
    default_ca = CA_default 
    
    [ CA_default ] 
    serial = $dir/serial 
    database = $dir/index.txt 
    new_certs_dir = $dir/newcerts 
    certificate = $dir/cacert.pem 
    private_key = $dir/private/cakey.pem 
    default_days = 365 
    default_md = md5 
    preserve = no 
    email_in_dn = no 
    nameopt = default_ca 
    certopt = default_ca 
    policy = policy_match 
    
    [ policy_match ] 
    countryName = match 
    stateOrProvinceName = match 
    organizationName = match 
    organizationalUnitName = optional 
    commonName = supplied 
    emailAddress = optional 
    
    [ req ] 
    default_bits = 1024 # Size of keys 
    default_keyfile = key.pem # name of generated keys 
    default_md = md5 # message digest algorithm 
    string_mask = nombstr # permitted characters 
    distinguished_name = req_distinguished_name 
    
    [ req_distinguished_name ] 
    # Variable name   Prompt string 
    #----------------------   ---------------------------------- 
    0.organizationName = Organization Name (company) 
    organizationalUnitName = Organizational Unit Name (department, division) 
    emailAddress = Email Address 
    emailAddress_max = 40 
    localityName = Locality Name (city, district) 
    stateOrProvinceName = State or Province Name (full name) 
    countryName = Country Name (2 letter code) 
    countryName_min = 2 
    countryName_max = 2 
    commonName = Common Name (hostname, IP, or your name) 
    commonName_max = 64 
    
    # Default values for the above, for consistency and less typing. 
    # Variable name   Value 
    #------------------------------   ------------------------------ 
    0.organizationName_default = Ingenieursbureau Te Bokkel
    organizationalUnitName_default = System Administration
    localityName_default = Apeldoorn
    stateOrProvinceName_default = Gelderland
    countryName_default = NL
    emailAddress_default = [email protected]
    
    [ v3_ca ] 
    basicConstraints = CA:TRUE 
    subjectKeyIdentifier = hash 
    authorityKeyIdentifier = keyid:always,issuer:always 
    
    [ v3_req ] 
    basicConstraints = CA:FALSE 
    subjectKeyIdentifier = hash 
    distinguished_name = req_distinguished_name 
    req_extensions = v3_req 
    
    
    pizza CA # cat makeCSR.sh 
    #!/bin/sh
    # see http://www.debian-administration.org/articles/284
    
    if [ "$1" -a -z "$2" ]; then
            openssl req -new -nodes -keyout private/$1.key -out requests/$1.csr -config ./openssl.cnf
    else
            echo "Usage: $0 host.domain.tld"
            exit 1
    fi
    
    
    pizza CA # cat signCSR.sh 
    #!/bin/sh
    # see http://www.debian-administration.org/articles/284
    
    if [ "$1" -a -r "requests/$1.csr" ]; then
            openssl ca -out cert.pem -config ./openssl.cnf -infiles requests/$1.csr
            if [ $? -eq 0 ]; then
                    openssl x509 -in cert.pem -out public/$1.crt.pem 
                    echo "Succesfull! Please take private/$1.key.pem and public/$1.crt.pem"
            fi
    else
            echo "Usage: $0 host.domain.tld"
            echo "(CSR should exist in requests directory)"
    fi
    
    
    pizza CA # cat renew.sh 
    #!/bin/sh
    
    if [ "$1" -a -r "public/$1.crt.pem" ]; then
            openssl ca -revoke public/$1.crt.pem -config ./openssl.cnf
            if [ $? -eq 0 ]; then
                    echo
                    echo "Revoked, now signing a new certificate!"
                    echo
                    ./signCSR.sh $@
            else
                    echo "Revocation failed. Aborting.."
                    exit 1
            fi
    else
            echo "Usage: $0 host.domain.tld for which a certificate exists"
            exit 1
    fi
    pizza CA # 
     
  3. tebokkel

    tebokkel New Member

    BTW, the answer to your question is in the emailAddress_default line in the openssl.cnf.
    I just dumped all scripts that work together with it..

    Paul
     
  4. doughold

    doughold New Member

    Thanks for the script, I'll keep it in my repertoire. However, I probably should have made myself more clear in that I am getting a cert from Godaddy and I don't want to self-sign it. Is there a reason that this option isn't available in the UI of ISPConfig?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to make a feature request for this then please post it as feature request to the bugtracker.
     

Share This Page