0

It has been a while since I have been on here.

I have 300 new servers in my environment that my organization wants to generate certificates for using "OpenSSL". I have the names of the systems, and I have used OpenssL before to do this, thing is, im not trying to sit around all day entering each piece of information over and over 300 times. I want to automate this. So far, everything works until I have to enter the information for the State, Common Name, Locality, Org, etc.

My question is, using Powershell; How can I feed this information into Openssl?

FYI, I have spent the last two days searching the internet. I constantly come across bash scripts, Openssl manuals, "how to's" (with no automation) for generating certificates, especially using powershell.

I did come across one result where the person used a function, but it all it did was generate ONE request, not multiple, and he didn't enter any information AT ALL. But he ended up with a CSR so I'm confused how that worked exactly.

Here is my current code, I have cleaned it to maintain privacy:

$ServerList = 'C:\Temp\server_names.txt' #This is the input file with the server names. It is all clean and only contains the names. Not FQDNs.
$ServerlistContent = get-content $ServerList #Dump the contents of the input file into a variable 

$keyPath = "D:\Openssl\OpenSSL-Win64\bin\Servers\Key\" #Output path for the '.key' file to be generated
$PemPath = "D:\Openssl\OpenSSL-Win64\bin\Servers\Pem\" #Output path for the '.pem' file to be generated

$FQDN = '.contoso.com' #Part of the common name, this will be concatenated before being used.

#Entries below this point are meant to be used when entering the information needed to generate the Certificate
$Conutry_Name = 'US'
$State_Name = ''
$Locality_Name = ''
$Org_Name = 'Contoso'
$Org_Unit_Name = 'HR'
$Email_Address = ''
$Challenge_pwd = ''
$optional_Name = ''
#Entries Above this point are meant to be used when entering the information needed to generate the Certificate

#Begin looping through the variable "$ServerlistContent" so that this Can be automated
foreach ($server in $ServerlistContent) {

    $Commonname = $server + $FQDN #Entry to be used for generating the certificate request.
    $Serverkey = $Server + ".key"
    $key_out = $keypath + $serverkey #Used to Create the path needed (to include the server name and file extension) for the Openssl Command
    $Serverpem = $Server + "_req.pem"
    $Pem_out = $PemPath + $Serverpem #Used to Create the path needed (to include the server name and file extension) for the Openssl Command

    D:\Openssl\OpenSSL-Win64\bin\\openssl.exe genrsa -out $key_out 2048

    D:\Openssl\OpenSSL-Win64\bin\\openssl.exe req -new -key $key_out -sha256 -out $Pem_out -verify -newhdr
}

#After this point, here is where I run into trouble, Powershell just hangs and i cannot enter anything, not even manually. (See Image 1)

Image 1:

Powershell_Stops

Improve this question
2
  • This... is what PKI is for :) Commented Oct 6, 2020 at 19:15
  • Yes that is true, however we have two different environments. In one environment we have a CA server that handles all of this. In the other, upper management has decided to use OpenSSL and not our existing CA server. Commented Oct 6, 2020 at 19:33

1 Answer 1

Reset to default
2

Before digging into how you pass the subject arguments to openssl, I have to warn you that the intended approach is most likely a really terrible idea!

The private key should never leave the host!

The whole idea behind public-key cryptography is that most of the key material must be kept secret (or private), and a verifier only needs a small part of it (the public key) in order to encrypt data which only the private key holder can decrypt - which in turn can be used for authentication.

If copies of the private key exists on multiple machines, then multiple machines can claim the identity (ie. the server or website name) associated with the corresponding certificate.

For this reason, I would strongly suggest writing a script to generate a single key + certificate locally, and then execute the script on each machine - this way, the private key material never has to leave the host.

Passing subject to openssl req

Assuming you're using the latest available version of openssl, the req context should have a -subj switch to which you can pass the full subject:

openssl req -new -key $key_out -sha256 -out $Pem_out -verify -newhdr -subj "/C=US/ST=NY/L=Albany/O=SuperCorp Ltd./CN=server.fqdn"

So all you need to do is construct the subject string from the variables you've already prepared:

$subject = "/C=${Country_Name}/ST=${State_Name}/L=${Locality_Name}/O=${Org_Name}/OU=${Org_Unit_Name}/CN=server.fqdn"
openssl req -new -key $key_out -sha256 -out $Pem_out -verify -newhdr -subj $subject
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

that didnt work, but you did lead me down the correct path to where i figured out the proper syntax. Thank you so much for your help!!!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.