Author: McYork

This will seem silly to some people; honestly, I am not a fan of what I have here yet. However, in a closed-loop environment where I run these scripts, it should be _safe_. I hope the code works. I have ripped it down to some fairly generic chunks.

So, why? Well, imagine I have a router or device that might run a small OS and can run UNIX commands but might not have access to the outside world or other tools installed. It can run shell scripts and most normal commands. I want to 1) get a yearly reminder to update the certificate and 2) find some easy way to install a certificate.

My solution is a cron job that runs every 11 months to generate a new CSR and email it to me <grin>. Step one is done. Then once I have got the certificate signed, I copy it up into the device with scp, and another script will move that file into the right place. First, it will check if it is derived from the local key, and maybe other checks can be added.

Step one, here’s the first script.

#!/bin/sh

# Get the hostname
HOSTNAME=$(hostname)

# Prepare the openssl configuration file
CONF_FILE="${HOSTNAME}_ssl.conf"

echo "[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = Country
ST = State
L = Location
O = Organization
OU = Organizational Unit
CN = $HOSTNAME.macicap.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $HOSTNAME.macicap.com" > $CONF_FILE
# the > wrote a new file and overwrote any old one.


# Check for existing ssl_key.pem and its size
# I want 4096 bit keys
if [ -e ssl_key.pem ]; then
  KEY_SIZE=$(openssl rsa -in ssl_key.pem -text -noout | grep 'Private-Key' | cut -d'(' -f2 | cut -d' ' -f1)
  if [ "$KEY_SIZE" -ne 4096 ]; then
    openssl genrsa -out ssl_key.pem 4096
  fi
else
  openssl genrsa -out ssl_key.pem 4096
fi

# Generate a new CSR
openssl req -new -key ssl_key.pem -out $HOSTNAME.csr -config $CONF_FILE

# Send the CSR via email using sendmail (optional)
# You will need to replace "smtp_server", "smtp_port", "from_address", "to_address", and "email_subject"
echo "Subject: email_subject
From: from_address
To: to_address

$(cat $HOSTNAME.csr)" | sendmail -H"exec openssl s_client -quiet -connect smtp_server:smtp_port -tls1 -starttls smtp" -f from_address -t to_address

That’s maybe a lot, but I hope you can figure it out from the comments. In theory, I was emailed a CSR file to sign. So let’s pretend I did that and uploaded it to some folder on the system. If the checks pass, a cron job will pick up the file and move it and the key file to the right place in the OS. Then I’ll need to figure out a reboot or the process to stop/start. Below is the script for that cron.

#!/bin/sh

# Define the directory where the certificate file will be uploaded
UPLOAD_DIR="/path/to/upload/directory"

# Define the names of the key, CSR, and certificate files
KEY_FILE="ssl_key.pem"
CSR_FILE="$(hostname).csr"
CERT_FILE="ssl_cert.pem"

# Define the target directory for the key and certificate files
TARGET_DIR="/etc/config"

# Check if there's a new certificate file in the upload directory
if [ -f "$UPLOAD_DIR/$CERT_FILE" ]; then
  # Verify that the certificate matches the private key
  if openssl x509 -noout -modulus -in "$UPLOAD_DIR/$CERT_FILE" | openssl md5 == openssl rsa -noout -modulus -in "$KEY_FILE" | openssl md5; then
    # Move the key and certificate files to the target directory (requires root privileges)
    mv "$KEY_FILE" "$TARGET_DIR/$KEY_FILE"
    mv "$UPLOAD_DIR/$CERT_FILE" "$TARGET_DIR/$CERT_FILE"
  fi
fi

This a reminder to make the scripts executable.

chmod +x /path/to/csr_script.sh
chmod +x /path/to/certificate_script.sh

The lines in crontab would look like this.

0 0 1 */11 * /path/to/csr_script.sh
0 0 * * * /path/to/certificate_script.sh

I’ll spend a little time taking what I have posted and using it to rebuild what I have to ensure I have not created too many new bugs. If I fix anything, I’ll update this paragraph and note the edits.

** macicap.com is in the code intentionally – I own it, it is parked, and it’s fun.

Now Open. https://www.mcyork.com/store/

Yes it’s a little bit of fun.

What’s a phone book?  Never mind that.

“If you don’t know I am not going to tell you” is how the Internet treats you if you need to find a friend’s email address.  When they change it and don’t email everyone they know of the change (and even when they do).  You will perhaps say Facebook, Twitter, et al will come to the rescue. This may be true in a lot of cases – but why rely on a rescue plan that’s as ephemeral as a fart?

Ephemeral you say (word of the day btw)?  I’d like to use a Yahoo example.  What if Yahoo fails (and we see it has teetered a bit).  I’d hate it to fail of course, but “what if” is how we need to approach the problem.  Say it goes poof.  You have no email now.  Um… what do you do?  Well of course you search through all your contacts and send out an email – hey I changed my email to pinkbunny42@somenewISP.com.  Please DO UNNECESSARY WORK, I need you all to update your address books. People all have the lazy gene on the Internet.  They’ll assume they can get to it later.  They won’t be able to find that email when they next think of you… The common thought you all have when going through this is “The close friends in my life know how to contact me regardless”.  Yup – well in this world you might also have moved, changed your cell phone number, and, not that it is relevant, been issued 4 different credit card numbers “because we detected suspicious activity” this year.  The point is (important) stuff changes all the time.  The perfect storm can leave you in the Internet’s dust.

Not to mention every site on the Internet you log into and forgot the password of – will no longer be able to email you a password reset.  This list is LONG.  Far more onerous than changing a credit card number.

Aside: Website password advice – use lastpass.com

Imagine a rock.  One touchstone that’s always there.  No matter what.  Your email address.  From beginning to end it never changes, not once.  Are you willing to go that extra mile to save a boatload of future pain?

My domain, mcyork.com, was registered on 1995-02-03.  Not the start of the Internet by any means but the start of my online life.  Associated with mcyork.com is my very first email address ianm@mcyork.com.  I HAVE changed my email now to ian@mcyork.com.  I never sent friends an update.  If they use ianm@ – I still get the email.  My replies are now from ian@.  Over time, but without a worry on my part, they will soon start to use my newer more current email address.  In fact, the more luddite-prone friends of mine will never know or need to know, my email address was modified. @mcyok.com is mine, I control it and all the email addresses (near-infinite) that can be associated with it.

What’s the answer/point?  Own your domain / control your destiny!

“Ok, thanks but there’s a catch, right?  To manage all that is probably technical and difficult.  We KNOW you are a geek with a blog!”

Let’s go through that over beers.  I’ll get you started.