Anybody know how to automate the generation of server certificates without user interaction?

Some background:

We're in the process of upgrading our content servers to new hardware and with new OSes. The plan is to recompile webserver/app server/etc. on the new systems. So the plan is to do this once and to then take this configuration and use this for any other content server we want to create. So let's say we want to create 30 content servers, we need to generate 30 server certificates. Hence the question, is it possible to automate this process with no user interaction? These content servers aren't outside facing and are to be used for testing purposes only. I've googled 'automate certificate generation' and didn't see anything really relevent.

Thanks for your time and help.

I'm not sure I understand the problem. You can just create a shell script to create a new certificate. For example:

#!/bin/bash
# Pass the following information to the routine to generate the certificate:
#
# Country Name (2 letter code) [GB]:.
# State or Province Name (full name) [Berkshire]:.
# Locality Name (eg, city) [Newbury]:.
# Organization Name (eg, company) [My Company Ltd]:.
# Organizational Unit Name (eg, section) []:.
# Common Name (eg, your name or your server's hostname) []:.
# Email Address []:.

umask 77 ; echo "$COUNTRY
$STATE
$CITY
$ORG
$UNIT
$HOST
$IP
$IP
$EMAIL" | /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt >/dev/null

yeah. I'm looking for something like that. I just don't know how to go about passing in the information. Is what you posted below what the script is supposed to look like? And can you explain how your script works?

Thanks.

All it does is "queue up" the responses that the openssl is going to be asking for. The $ variables are just placeholders for the information. Let's say you call the script "makenewcert" and change it to:

#!/bin/bash
# Pass the following information to the routine to generate the certificate:
#
# $1 = Country Name (2 letter code) [GB]:.
# $2 = State or Province Name (full name) [Berkshire]:.
# $3 = Locality Name (eg, city) [Newbury]:.
# $4 = Organization Name (eg, company) [My Company Ltd]:.
# $5 = Organizational Unit Name (eg, section) []:.
# $6 = Common Name (eg, your name or your server's hostname) []:.
# $7 = IP address
# $8 = Email Address []:.

umask 77 ; echo "$1
$2
$3
$4
$5
$6
$7
$7
$8" | /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt >/dev/null


You can then call it and pass the information as parameters. For example:

makenewcert "US" "New Jersey" "Newark" "My Company" "IT" "myserver.com" "123.45.67.89" "webmaster@myserver.com"

something like this works well:

openssl req -config ssl.cnf -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=www.example.com" -days 3650 -key cert.key -out cert.crt -extensions v3_ca

The -subj being the important part here.