At 03:14 PM 7/9/2003 +0200, gianni writeth:[EMAIL PROTECTED] wrote:Hi, I want to create a request automatically with an webapplication. So the persons enter the details into a form an I write a temporary config-file to create request. But how does the content of the config-file look, that itcontainsthe details (cn, o, ou,...) and how does the command look, what I have to execute? Hope anybody can help me.. Thanx a lot for help!!!! CarstenYou can find details in doc/apps/req.pod in your openssl directory. Specify prompt = no in the [ req ] section to disable prompting. The command is something like req -new -config conffile -newkey rsa:1024 -keyout newkey.pem -out request.pemNOTE: That approach requires a config file, which is on physical media - so be sure that no one can read those files except OpenSSL and the originating program. Also, take care to zreo out the config files before deleting them. You can also hack OpenSSL to accept input from stdin instead of whatever it defaults to on your platform...I did that a long time ago for Win32 and I remember it wasn't what I would call "fun", so I recommend avoiding that particular route (although, it does offer some additional security since it doesn't use the hard drive - unless you are low on RAM). Note, however, this approach doesn't protect the system from a hook into pipe()...but that's a whole other security issue - that is, if your users can modify the system's Run-Time Libraries, you've got more problems than just someone hooking into pipe() to get OpenSSL configuration information. Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- "Meeting the needs of fellow programmers" http://www.shininglightpro.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using the config file is the only way to generate a request without prompting. The information to protect
is the password used to encrypt the generated private key (or to acces a given private key). If you don't want
use the -passin (-passout) option and a pipe (quite hard from a web application I guess) a solution (for Win32)
could be a utility like sdelete http://www.sysinternals.com/ntw2k/utilities.shtml.
