[LRUG] OpenSSL CSR Generation - Challenge Passhrase

Ash Berlin ash_lrug at firemirror.com
Mon Jun 25 09:07:43 PDT 2012


And a nicer layer on top of the built in pty gem appears to be https://github.com/avdi/greenletters

-ash

On 25 Jun 2012, at 17:03, Ash Berlin wrote:

> I don't know how you'd do this via the openssl gem, but one possibly solution if you can't find an alternative is to use the PTY gem and drive input to openssl (and thus the passphrase) this way.
> 
> Untested and it might not work, but I've used an equivalent approach in perl with gpg.
> 
> -ash
> 
> 
> On 25 Jun 2012, at 16:59, Jared Patterson wrote:
> 
>> Hey All,
>> 
>> Im working on building a API to handle certificate requests against a SCEP API on a PKI Product, and I need to be able to generate CSR's, which include a challenge passphrase, however I am struggling to see how this is done in ruby, nor does the docs for openssl show how this is possible. Usually using the openssl command directly, you would do something like:
>> 
>> # openssl req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048
>> 
>> Which would request the following:
>> 
>> 
>> ---------  
>>        Country Name (2 letter code) [US]: US
>>        State or Province Name (full name) []: Texas
>>        Locality Name (eg, city) []: Houston
>>        Organization Name (eg, company) []: Your Company Inc
>>        Organizational Unit Name (eg, section) []: Your Department
>>        Common Name (eg, YOUR name) []: secure.yourcompanyname.com
>>        Email Address []:
>> 
>> Please enter the following 'extra' attributes to be sent with your certificate request
>> 
>>        A challenge password []: 
>>        An optional company name []:
>> ---------
>> 
>> In ruby, I am doing the following:
>> 
>> ---------
>> 
>> 
>> def gen_key(name)
>> 
>>   begin
>> 
>>     key = OpenSSL::PKey::RSA.new 2048
>> 
>>     file = File.new(name, "w")
>> 
>>     file.write(key)
>> 
>>     file.close
>> 
>>   rescue => e
>> 
>>     print "Error, something went wrong while generating the private key file?"
>> 
>>     print "Exception: #{e.message}" 
>> 
>>   end
>> 
>> end
>> 
>> new_key = gen_key("jared.test.com")
>> 
>> def get_key(name)
>> 
>>   OpenSSL::PKey::RSA.new File.open(name)
>> 
>> end
>> 
>> 
>> key = get_key("jared.test.com")
>> cn = "jared.test.com")
>> 
>> def gen_csr(key, cn)
>> 
>>   options = { 
>> 
>> 
>>   
>> 
>> 
>>   :country      => 'GB',
>> 
>>   :state        => 'London',
>> 
>>   :city         => 'London',
>> 
>>   :organization => 'Betfair',
>> 
>>   :department   => 'IS', 
>> 
>>   :common_name  => '#{cn}',
>> 
>>   :email        => 'jared.patterson at betfair.com'
>> 
>> 
>>   
>> 
>> 
>>   }
>> 
>> 
>> 
>> 
>>   request = OpenSSL::X509::Request.new
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>   request.version = 0 
>> 
>>   request.subject = OpenSSL::X509::Name.new([
>> 
>>   ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
>> 
>>   ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
>> 
>>   ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
>> 
>>   ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
>> 
>>   ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
>> 
>>   ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
>> 
>>   ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
>> 
>> 
>>   
>> 
>> 
>>   ])  
>> 
>>   request.public_key = key.public_key
>> 
>>   request.sign(key, OpenSSL::Digest::SHA1.new)
>> 
>> end
>> 
>> my_csr = gen_csr(key, cn)
>> 
>> ---------
>> 
>> However I don’t understand how I can add the challenge passphrase to the CSR, i'm guessing this is some sort of additional attribute added to the request, does anyone know how this is done, can supply me with an example?
>> 
>> 
>> 
>> 
>> Cheers,
>> 
>> Jared Patterson
>> Senior Linux Application Engineer
>> IS Platform and Enterprise – Product Delivery
>>  
>> Office: +44 (0) 20 8834 6506
>> Yahoo IM: patterson.jared84
>> 
>> 
>> 
>> Betfair. The World’s Biggest Betting Community.
>> 
>> Please consider the environment before printing this e-mail.
>> Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP. Registered in England and Wales under company number 5140986.
>> 
>> 
>> 
>> 
>> ________________________________________________________________________
>> In order to protect our email recipients, Betfair Group use SkyScan from 
>> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>> 
>> ________________________________________________________________________
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120625/ac8075e6/attachment-0003.html>


More information about the Chat mailing list