I am in the process of trying to automate/script via shell, a method of post server build config for one of our teams, and one of the final steps after all is installed, is to generate an SSL key and csr file ready for upload to our internal certificate management/signing tool.
The existing process had them running the following 2 commands and entering all details (passphrase, distinguished name details, attributes etc.) manually:
#create private key
openssl genrsa -des3 -out filename.key 2048
#generate csr
openssl req -new -key filename.key -out filename.csr
I have opted to use the following process to try and automate it: at first generate a config file containing the required details like
[ req ]
default_bits = 2048
distinguished_name = disname
.....
[ disname ]
C = NN
ST = name
.....
Then run the combined command to generate the files using some defined variables
openssl req -newkey rsa:2048 -passout pass:${passPhrase} -config config.file\
-keyout filename.key -out filename.csr
This command seems to work a dream, but...
It was noticed that the output for the key on this combined command is not like the original one.
The original method where we include -des3 create a key file stating the following in front:
----BEGIN RSA PRIVATE KEY----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, nnnnnnnnnnnnn
The file created via the combined method simply has:
----BEGIN ENCRYPTED PRIVATE KEY----
The question is, is this the same but one method simply put different info at the beginning or is this fundamentally different and I need to revert back to the old way or do something else to have the same level/method of encryption?
I found a way to do what I need.
2 step process:
1 - key creation (with no prompt)
2 - csr creation from key with no prompt