Re: scripting creating a cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Viktor,

On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:

   $ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I needed:

chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.

Rich got me some help and I have put the following together:

Set the following variables:

countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld

Then the following commands create the certs:

restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld

openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
commonName=localhost

openssl req -new -outform PEM -out certs/$commonName.crt -newkey rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

chmod 640 private/$commonName.key
$restore_mask


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux