我知道在使用 openssl 时,您可以通过以下方式绕过交互式输入:
- -passin pass:无论如何
- -passout 通行证:无论如何
- -subj "/C=pa/ST=pa/L=pa/O=pa/OU=pa/CN=pa"
但是,当签署证书时,例如:
openssl ca -config intermediate/openssl.cnf \
-passin pass:whatever \
-extensions usr_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
我需要输入两次“y”:
....
X509v3 Authority Key Identifier:
keyid:96:7B:52:E6:FC:53:53:F0:F3:D1:B3:EB:FB:5C:95:4D:73:BD:B8:5D
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
Certificate is to be certified until Jul 12 14:00:14 2017 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
是否有一个 openssl 命令行开关可以自动执行此操作?
答案1
从man ca
:
-batch
this sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
顺便说一下,关于使用密码短语参数man openssl
有以下几点要说:pass:
pass:password
the actual password is password. Since the password is
visible to utilities (like 'ps' under Unix) this form should
only be used where security is not important.