Solved

Automate CSR (Certificate Signing Request) via Java Keytool with Batch and VBscript

Posted on 2013-06-12
7
1,550 Views
Last Modified: 2013-06-12
Hi Experts!

I have a script we use to generate a CSR which is currently used manually. I'd like to be able to run this script remotely via sys management tools and use sort of an 'answer' file for info required to generate the CSR.

I guess I have a few questions.. one, can I simply use batch for all of this and what is the syntax for reading a "file.txt" and plugging in the answers.. two, is it possible to use VBscript to plug the answers in via file.txt and can you provide a sample of this either way?

Or is there a completely different approach I should be taking?

The file.txt would exist in the same directory and it's content would simply read something like this:

website.com
IT dept.
Miami
FL
US
yes



Here's what I have so far....

Title Generate CSR
@ECHO Off
Set X64_SYS="C:\Program Files (x86)"
Set SSL_DIR="C:\SSL"
Set SSL_BK_DIR=C:\SSL\BKup
Set KEY_STORE=New.keystore

REM Fetch the path of the Java installation and set as variable

IF EXIST %X64_SYS% (
	for /f "tokens=2*" %%a in ('reg.exe query "HKLM\SOFTWARE\Wow6432Node\Java" /v "Path" ^| find /i "Path"') do set JAVA_HOME=%%b
) ELSE (
	for /f "tokens=2*" %%a in ('reg.exe query "HKLM\SOFTWARE\Java" /v "Path" ^| find /i "Path"') do set JAVA_HOME=%%b
)

Set KTOOL="%JAVA_HOME%\bin\keytool.exe"

REM Create dated working directory

echo > dateFile.txt
set DATEFILE=dateFile.txt
date /t >> %DATEFILE%
for /f "usebackq tokens=2-4 delims=^/ " %%p in (%DATEFILE%) do set THEDAY=%%r%%p%%q
del %DATEFILE%
mkdir %SSL_DIR%
mkdir %SSL_BK_DIR%
cd %SSL_DIR%
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :          
ECHO :     Please use caution while
ECHO :
ECHO :     entering SSL certificate details:
ECHO :
ECHO :  EXAMPLE:
ECHO :
ECHO :  First and Last Name:	        Website.com
ECHO :
ECHO :  Organization Unit:		IT Department
ECHO :
ECHO :  City or Locality:			City
ECHO :
ECHO :  State or Province:		State
ECHO :
ECHO :  Country Code:			US
ECHO :
ECHO :  Is this information Correct?:  yes
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :
%KTOOL% -genkey -keyalg RSA -keysize 2048 -keystore %SSL_DIR%\%KEY_STORE% -alias tomcat
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :          
ECHO :      !!!  Verify All Certs Exist  !!!
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :
pause
%KTOOL% -list -keystore %SSL_DIR%\%KEY_STORE%
ECHO :
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :          
ECHO :      !!!  Verify All Certs Exist  !!!
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :
pause
ECHO :
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :          
ECHO :    Provide Password to export CSR
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :
%KTOOL% -certreq -keyalg RSA -file %SSL_DIR%\New-CSR-%THEDAY%.csr -keystore %SSL_DIR%\%KEY_STORE% -alias tomcat
copy %SSL_DIR%\%KEY_STORE% %SSL_BK_DIR%\CSR-EXPORTED-%THEDAY%.Keystore
copy %SSL_DIR%\New-CSR-%THEDAY%.csr %SSL_BK_DIR%\New-CSR-%THEDAY%.csr
ECHO :
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :      Successfully Exported CSR to %SSL_DIR%
ECHO :
ECHO :::::::::::::::::::::::::::::::::::::::::::
ECHO :
ECHO :
ECHO :
pause

Open in new window

0
Comment
Question by:zequestioner
  • 5
  • 2
7 Comments
 
LVL 1

Author Comment

by:zequestioner
ID: 39242125
To test this you can simply create the folder C:\SSL and create a file called New.keystore in it. Set your variable manually for the java keytool and REM out the section that fetches it from the registry.
0
 
LVL 5

Accepted Solution

by:
DOSLover earned 500 total points
ID: 39242569
To answer your first question, yes, you can use input redirection to pass values to the command (keytool) as follows. Assume you have prompt values in a file called, file.txt. Please note password is also a prompt and needs to enetered twice to confirm. The first two values in your file.txt will be passwords. You can save prompt values separately for creating certificate request, in file2.txt
Then your keytool commands will be:
%KTOOL% -genkey -keyalg RSA -keysize 2048 -keystore %SSL_DIR%\%KEY_STORE% -alias tomcat  < file.txt

%KTOOL% -certreq -keyalg RSA -file %SSL_DIR%\New-CSR-%THEDAY%.csr -keystore %SSL_DIR%\%KEY_STORE% -alias tomcat < file2.txt

Open in new window

0
 
LVL 1

Author Comment

by:zequestioner
ID: 39242661
Sweet! That worked like a charm, but I have a question... why do the first '2' lines have to be the password? When you run the command manually, it only prompts once for the pw.... so I'm wondering why the answer file needs it on both lines?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 5

Expert Comment

by:DOSLover
ID: 39242725
I think it prompts once for the pwd and then the next prompt is 'Re-enter new password' to confirm.
0
 
LVL 1

Author Comment

by:zequestioner
ID: 39243170
But there shouldn't be a 'new' password in the beginning... again, running the command manually, it only asks for a pw once to get into the keystore... but whats weird is that if I don't list the pw twice (first two lines of file.txt) then it doesn't work....
0
 
LVL 1

Author Comment

by:zequestioner
ID: 39243171
I wonder why it's different from running it manually?
0
 
LVL 1

Author Comment

by:zequestioner
ID: 39243207
I think i answered my own question... the reason is that the answer file (file.txt) was missing a line for the company name (O after OU) and was taking the 2nd pw as the first prompt after the pw... i figured this out by removing the @echo off... works great... and now the pw is only needed once on the first line.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A short article about a problem I had getting the GPS LocationListener working.
Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now