How to automate SSL certificates generation on remote server

Question

I am looking for a way to generate SSL certificates on an external Linux server, but can't figure out the best way.

The scenario:

When a user registers on a website (on a web server), I want the web server to send a message to another server where the SSL certificate and key will be generated for the user. The web server must send the username of the user to the external server. I know that it is better for security to generate SSL certs on a separate machine, and not on the web server.

The web server is also a Linux system and will use PHP, so maybe PHP should send this message to the 'ssl-generation-server'? I was thinking using a BASH script, and a curl command like this because it is the easiest I can come up with:

exec("curl http://ssl-gen-server/generate.php > /dev/null 2>&1 &");

I don't want the PHP call on the web server to wait for the answer from generate.php, so I will redirect it, so that it would be asynchronous.

After the SSL and key have been generated, they should be sent back to the web server so that they can be presented to the user. But the problem here is: how can the 'ssl-gen-server' contact the web server and inform about the SSL cert?

Is it better to automate SSH logins from the web server to the SSL-gen server, and run commands there?

I know that PHP has openssl_csr_new, but maybe it is better to generate certificates with the actual openssl command?

Answer 1

(this should be a comment but its a bit long)

I was thinking using a BASH script, and a curl command like this

That is a very strange way to solve the problem. Even if this were the only possible way to invoke a remote URL from PHP, there are a lot of things wrong the way you are interacting with curl.

You also seem to be very confused about the relationship between CSRs and certificates. You are trying to solve details of the implementation without any apparent consideration to the architecture and haven't really given an explanation of what you are trying to achieve (is this a client side certificate? Is the certificate and key to be deployed to a server?). Who is the certificate authority? Are you trying to automate an existing process or is this a new capability?

You don't seem to understand the necessity of separating the CSR creation from the certificate signing.

While the details of the invocation are easy to answer, there are so many peculiarities in your question regarding the integrity and confidentiality of the service, ignoring them and explaining any of the invocation solutions would be rather irresponsible.

The best advice (although still somewhat dangerous in the absence of a usage model) is ansi_lumen's recommendation to use letsencrypt.

Answer 2

You want a PKI solution that includes a certificate authority and ways to issue certs. Full featured products include FreeIPA (aka Red Hat Identity Manager) or Active Directory Certificate Services.

In either case, explore something like certmonger to issue cert requests. It has a much better defined API than shelling out to openssl. As a bonus, it has auto renew feature.

If you don't care if it uses your PKI, implement Let's Encrypt and let them issue the certs.

Finally, before implementing your own with openssl shell scripts, don't and look into certmonger helpers instead. If you really want to, read some tutorials to understand how to properly do PKI. I recommend a couple, authored by Stefan H. Holek or Jamie Nguyen.