Just want to say thanks to all for the help getting my IIS server to accept
my self signed CA.
Here is a script to create user certs.
# This script takes html form data and generates a pem encoded certificate
reque
st.
#created by Tom Hash
MAIN: {
require "cgi-lib.pl";
use Expect;
#read in all the variables set by the form
&ReadParse(*input);
$organization = "Changeme"; # hard code the Org field
$organization_unit = ""; # changed below
$new_state = ""; # state in case counrty us different from US
# Check to see if all the right fields are filled in
# And if they have requested a cert in the past.
if ( -f "/var/www/cgi-bin/temp/$input{'email'}.p12") {
&CgiDie("Error: Certificate already in database\n","It appears you have
requ
ested a certificate twice. This corrupted your previous certificate.
Please se
nd mail to your-email\@address.here so he can correct the problem. He will
then infor
m you to request a cert again.\n");
}
if ($input{'name'} ne "" &&
$input{'passwd'} ne "" &&
$input{'passwd2'} ne "" &&
($input{'passwd'} eq $input{'passwd2'}) &&
$input{'email'} ne "" &&
($input{'orgunit'} ne "" || $input{'orgunitother'} ne "") &&
$input{'city'} ne "" &&
(($input{'state'} ne "") || ($input{'country'} ne "US" && $input{'state'}
eq "
")) &&
$input{'country'} ne "") {
#
# Check which orgunit to use and fix state country conflicts
#
if ($input{'orgunit'} ne "") {
$organization_unit = $input{'orgunit'};
}
else {
$organization_unit = $input{'orgunitother'};
}
if ($input{'country'} ne "US") {
$new_state = "none";
}
else {
$new_state = $input{'state'};
}
#
# Create the certificate and private key, put that in email_address.cert
# while using expect to interact with openssl...
#
print &PrintHeader;
# print "<center><h2>Generating Certificate Request...</h2></center>";
print &HtmlTop ("Generating Certificate Request...");
print "<pre>\r";
my $command_req;
$command_req = Expect->spawn("/usr/local/ssl/bin/openssl req
$SSLEAY_CONFIG -
new -keyout ./temp/$input{'email'}.key -out
./temp/$input{'email'}.cert -days 18
25");
if ( $command_req->expect(5, "phrase:")) {
print $command_req "$input{'passwd'}\r";
}
if ( $command_req->expect(5, "phrase:")) {
print $command_req "$input{'passwd'}\r";
}
if ( $command_req->expect(5, "\[US\]:") ) {
print $command_req "$input{'country'}\r";
}
if ( $command_req->expect(5, "\[Some-State\]:")) {
print $command_req "$input{'state'}\r";
}
if ( $command_req->expect(5, "city")) {
print $command_req "$input{'city'}\r";
}
if ( $command_req->expect(5, "Ltd\]:")) {
print $command_req "$organization\r";
}
if ( $command_req->expect(5, "section\) \[\]:")) {
print $command_req "$organization_unit\r";
}
if ( $command_req->expect(5, "name\) \[\]:")) {
print $command_req "$input{'name'}\r";
}
if ( $command_req->expect(5, "Address \[\]:")) {
print $command_req "$input{'email'}\r";
}
if ( $command_req->expect(5, "password \[\]:")) {
print $command_req "\r";
}
if ( $command_req->expect(5, "company name \[\]:")) {
print $command_req "\r";
}
#
# Now cat the 2 together to form the request
#
sleep 2;
`cat ./temp/$input{'email'}.key ./temp/$input{'email'}.cert >>
./temp/$input{
'email'}.pem`;
#
sleep 1;
# Sign the certificate (and clean up some files)
#
`rm -f "./temp/$input{'email'}.cert"`;
print "\r\rCert AutoSigner v1.0...\r";
my $command_sign;
$command_sign = Expect->spawn("/usr/local/ssl/bin/openssl ca
$SSLEAY_CONFIG -
policy policy_anything -out ./temp/$input{'email'}.pem.signed -infiles
./temp/$i
nput{'email'}.pem");
if ( $command_sign->expect(5, "pass phrase:")) {
print $command_sign "CA password here\r";
}
if ( $command_sign->expect(5, "certificate")) {
print $command_sign "y\r";
}
sleep 1;
if ( $command_sign->expect(5, "commit\? \[y\/n\]")) {
print $command_sign "y\r\r";
}
sleep 2;
#
# Convert the signed cert to a pkcs12 certificate so Netscape and IE can
impo
rt.
# (and clean up some files)
`rm -f "./temp/$input{'email'}.pem"`;
`cat ./temp/$input{'email'}.key ./temp/$input{'email'}.pem.signed >>
./temp/$
input{'email'}.temp`;
sleep 3;
my $command_conv;
print "\r";
$command_conv = Expect->spawn("/usr/local/ssl/bin/openssl
pkcs12 -export -in
./temp/$input{'email'}.temp -out ./temp/$input{'email'}.p12 -name 'Your
Certific
ate for $input{'email'}' -certfile /usr/local/ssl/misc/yourCA/cacert.pem");
if ( $command_conv->expect(5, "pass phrase:")) {
print $command_conv "$input{'passwd'}\r";
}
if ( $command_conv->expect(5, "Export Password:")) {
print $command_conv "$input{'passwd'}\r";
}
if ( $command_conv->expect(5, "Export Password:")) {
print $command_conv "$input{'passwd'}\r";
}
#
`rm -f "./temp/$input{'email'}.key" "./temp/$input{'email'}.pem.signed"
"./te
mp/$input{'email'}.temp"`;
# E-mail [EMAIL PROTECTED] and tell him he has a cert to approve.
`echo '$input{'email'} has a certificate request.' | mail -s "certificate
req
uest" your-email\@address.here`;
print "</pre>\r";
print "</HTML></BODY>\r\n";
}
else {
print &PrintHeader;
print &HtmlTop ("Generating Certificate Request...");
print "ERROR: You left a required field blank or your passwords didn't
match.
Please go back and correct.\n";
print <<ENDOFTEXT;
<pre>
Your name is: +$input{'name'}+
Your password is: +********+
Your e-mail address is: +$input{'email'}+
Your Organization Unit is : +$organization_unit+
Your City is: +$input{'city'}+
Your State is: +$new_state+
Your Country is: +$input{'country'}+
</pre>
ENDOFTEXT
}
# Close the document cleanly.
print "<script
language=\"JavaScript\">window.location=\"http://your.site.here\";</
script>";
print &HtmlBot;
}
Brandon Amundson
BBN Technologies
LAB: 703 284 8189
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
