Trying to achieve a sort of self-signed PKI setup utilizing openssl on RHEL, with a few caveats. I will attempt to provide as much information as possible here.
Versions: RHEL 6.7 | OpenSSL 1.0.1e-fips 11 Feb 2013
Caveats/constraints on the script: this script will be utilized to create multiple key sets - by default, one root keypair and cert and two client keypairs and certs per run. User input is asked for for file location, filename and passphrase on the client keys. All this was fairly straightforward, and I had a script that would run these commands on user request, and utilized the openssl.cnf file to point back to the root key to sign. I had used sed to change the location pointers in openssl.cnf based on filename originally, and was successfully able to sign the client cert.
However, there are two major caveats to this:
I was asked to change the script so that it is not dynamically the script or other files per each run, meaning openssl.cnf should not be edited on the fly if possinble. If this is needed to function however, then it should be fine.
The user needs to be able to run multiple sets of this script ad hoc, especially with regards to the client keypairs (I have the root script and the client generation script separate in a user selectable menu). That is to say, generating the client keypair is requisite on having a root key to associate with, but can be done multiple times, and the client key script should ask the user with which root key to associate and sign from?
Because of these constraints, it didn't seem that editing openssl.cnf was a prudent option, and not very scalable. So, given this info my question which I've been unable to figure out is simply:
Is there a way to point a client key to a variable which would be the root key cert to sign? (Rather than utilizing openssl.cnf for the 'certificate' and 'private_key' entries?)
As of now, I have:
root key & cert:
openssl req -config $dir/openssl.cnf -new -x509 -days 3652 -nodes -sha384 -newkey ec:ec-secp384r1.pem -keyout $userdir/${rootName}_private.key -out $userdir/${rootName}.crt -subj "stuff_here"
...
export rootName
client keys & certs:
read -p "Which root key do you want to associate this client keypair with? Please type absolute filepath and filename (ending in .key); rkAssoc #STILL NEED TO USE THIS VARIABLE
##KEY GENERATION
openssl req -newkey ec:ec-secp384rp1.pem -keyout $userdir/{$clientName}_privat.key -out $userdir/client/${clientName}.csr -subj "Stuff_here"
##SIGN CSR
openssl ca -config $dir/openssl.cnf -policy policy_anything -extensions usr_cert -days 730 -notext -md sha384 -in $userdir/client/${clientName}.csr -out $userdir/client/${clientName}_signedprivatekey.pem && echo "Client key created."
So I guess,
1) Did i do the client signing correctly (something seems off about it but not sure)
2) instead of referencing -req openssl.cnf I presume there is probably some kind of flag where you could do something more like
openssl ca ... -cert ${rkAssoc}
is this remotely correct or am I way off?
Thanks in advance for anyone who lends a hand.
OpenSSL has multiple ways of doing the same thing. You found one way of signing a CSR, with openssl ca. openssl x509 can act as a mini CA, so to eliminate the need for a config file, you could do something like:
openssl x509 -req -in /tmp/mykey.csr.pem -CA /path/to/ca/mycacert.pem -CAkey /path/to/ca/cakey engine -CAserial /path/to/ca/myca.srl -days 3600 -out /tmp/mykeypub.cert.pem
Where -CA points to your root CA cert, and -CAkey to your root CA key.