[IMP] add new work

get_guid.sh

@@ -0,0 +1,37 @@
+#/usr/bin/env bash
+
+# You no longer need Windows for aquiring DCs GUID
+IFS='
+'
+
+convertToHex() {
+  # Inspired by https://docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/convert-string-guid-to-hexadecimal-string
+  RAW="$1"
+  GUID=$(echo "$RAW" | sed 's/\-//g')
+
+  HEX="${GUID:6:2}"
+  HEX="${HEX}${GUID:4:2}"
+  HEX="${HEX}${GUID:2:2}"
+  HEX="${HEX}${GUID:0:2}"
+  HEX="${HEX}${GUID:10:2}"
+  HEX="${HEX}${GUID:8:2}"
+  HEX="${HEX}${GUID:14:2}"
+  HEX="${HEX}${GUID:12:2}"
+  len=${#HEX}
+  HEX="${HEX}${GUID:16:${len}}"
+
+  echo "$HEX"
+}
+
+
+# apt install ldb-tools
+realm=$(grep -i realm /etc/samba/smb.conf | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
+dc=$(echo $realm | awk -F '.' '{for(i = 1; i <= NF; i++) {printf ",DC=" $i}}')
+base="OU=Domain Controllers${dc}"
+cn=$(hostname -s)
+#cn=$(srvads2)
+GUID=$(ldbsearch  -H /var/lib/samba/private/sam.ldb --basedn="$base" "CN=${cn}" objectGUID \
+  | grep '^objectGUID:' \
+  | awk '{print $2}' \
+)
+convertToHex "$GUID"

samba-pki-tools.ini.sample

@@ -3,21 +3,26 @@
 pki_dir = /opt/pki
 
 [openssl_config]
-root_name = KG TIS
+root_name = Tranquil IT
 country = FR
 state = Pays de la Loire
 city = Saint Sebastien Sur Loire
-organization_name = KG Tranquil IT
+organization_name = Tranquil IT
-organization_ou = KG Tranquil IT CA
+organization_ou = Tranquil IT CA
-organization_cn = KG Tranquil IT Root CA
+organization_cn = Tranquil IT Root CA
 
 default_cert_duration = 730
+default_crl_duration = 90
 
-crl_uri = URI:http://crl.kg.tranquil.it/crl/root_ca.crl
+crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_root.crl
 
 create_intermediate = True
-intermediate_organization_cn = INFOLIX Authentication CA
+intermediate_organization_cn = Tranquil IT Authentication CA
-intermediate_crl_uri = URI:http://crl.infolix.lan/crl/infolix_authentication.crl
+intermediate_crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_authentication.crl
+
+# If you use Yubikey, max value is 2048 ; Nitrokey can be 4096
+default_bits_user = 2048
 
 [samba_ad]
-dc_list =
+dc_list = srvads1.ad.tranquil.it,srvads2.ad.tranquil.it
+upn_suffix = ad.tranquil.it

templates/openssl_create_intermediate_ca.tmpl

@@ -0,0 +1,24 @@
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+[ v3_ca ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer
+basicConstraints        = critical, CA:true
+keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
+default_md              = sha512
+crlDistributionPoints   = {{ intermediate_crl_uri }}
+nsCertType              = sslCA, emailCA
+issuerAltName           = issuer:copy
+
+[ req_distinguished_name ]
+C   = {{ country }}
+ST  = {{ state }}
+L   = {{ city }}
+O   = {{ organization_name }}
+OU  = {{ organization_ou }}
+CN  = {{ intermediate_organization_cn }}
+

templates/openssl_root_ca.tmpl

@@ -1,5 +1,5 @@
 [ ca ]
-default_ca = {{ organization_ou }} 
+default_ca = CA_default
 
 [ CA_default ]
 dir                 = {{ pki_dir }}

templates/openssl_server_cert.tmpl

@@ -24,8 +24,8 @@ serial            = $dir/serial
 private			  = $dir/private
 
 # The root key and root certificate.
-private_key       = $dir/private/root_ca.key
+private_key       = {{ dc_ca_keyfile }}
-certificate       = $dir/certs/root_ca.crt
+certificate       = {{ dc_ca_certfile }}
 
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha512
@@ -36,7 +36,7 @@ default_days      = {{ default_crl_duration }}
 preserve          = no
 policy            = policy_loose
 
-default_crl_days    = 90
+default_crl_days    = {{ default_crl_duration }}
 
 [ req ]
 default_bits                = 4096

templates/openssl_sign_intermediate_csr.tmpl

@@ -0,0 +1,43 @@
+[ ca ]
+
+default_ca          = CA_default
+
+[ CA_default ]
+dir                 = {{ pki_dir }}
+certs               = $dir/certs
+crl_dir             = $dir/crl
+new_certs_dir       = $dir/newcerts
+database            = $dir/index.txt
+serial              = $dir/serial
+
+private_key         = {{ root_ca_keyfile }}
+certificate         = {{ root_ca_certfile }}
+
+default_md          = sha512
+
+name_opt            = ca_default
+cert_opt            = ca_default
+default_days        = 1825
+preserve            = no
+policy              = policy_loose
+default_crl_days    = {{ default_crl_duration }}
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier        = hash
+authorityKeyIdentifier      = keyid:always,issuer
+basicConstraints            = critical, CA:true, pathlen:0
+keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign
+
+crlDistributionPoints       = {{ intermediate_crl_uri }}
+nsCertType                  = sslCA, emailCA
+issuerAltName               = issuer:copy
+

templates/openssl_user_cert.tmpl

@@ -16,8 +16,8 @@ serial            = $dir/serial
 private			  = $dir/private
 
 # The root key and root certificate.
-private_key       = $dir/private/root_ca.key
+private_key       = {{ dc_ca_keyfile }}
-certificate       = $dir/certs/root_ca.crt
+certificate       = {{ dc_ca_certfile }}
 
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha512
@@ -28,10 +28,10 @@ default_days      = {{ default_crl_duration }}
 preserve          = no
 policy            = policy_loose
 
-default_crl_days    = 90
+default_crl_days    = {{ default_crl_duration }}
 
 [ req ]
-default_bits                = 4096
+default_bits        = {{ default_bits_user }}
 distinguished_name  = req_distinguished_name
 
 [ policy_loose ]
@@ -73,9 +73,12 @@ organizationalUnitName_default      = {{ organization_unit }}
 
 commonName          		= Common Name (eg, Your Name or server name)
 commonName_max              = 64
+commonName_default          = {{ commonName }}
 
 emailAddress                = Email Address
 emailAddress_max    		= 64
+emailAddress_default        = {{ emailAddress }}
+
 
 ########################################### User Certificates ################################################
 [ usr_cert_scarduser ]

tis-pki.py

@@ -23,6 +23,9 @@ class TisPKI:
     def root_ca_certfile():
         return os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
 
+    def root_ca_keyfile():
+        return os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
+
     def keyout_path():
         return os.path.join(TisPKI.pki_dir(),'private')
 
@@ -35,6 +38,16 @@ class TisPKI:
     def p12_path():
         return os.path.join(TisPKI.pki_dir(),'p12')
 
+    def config_path():
+        return os.path.join(TisPKI.pki_dir(),'config')
+
+    def crl_path():
+        return os.path.join(TisPKI.pki_dir(),'crl')
+
+
+    def intermediate_ca():
+        if config.getboolean('openssl_config','create_intermediate'):
+            return True
 
     def pki_intermediate_dir():
         return os.path.join(config.get('general','pki_dir'),'intermediate_ca')
@@ -54,6 +67,12 @@ class TisPKI:
     def intermediate_p12_path():
         return os.path.join(TisPKI.pki_intermediate_dir(),'p12')
 
+    def intermediate_config_path():
+        return os.path.join(TisPKI.pki_intermediate_dir(),'config')
+
+    def intermediate_crl_path():
+        return os.path.join(TisPKI.pki_intermediate_dir(),'crl')
+
 
 
 def check_directories(root_path):
@@ -80,8 +99,7 @@ def create_openssl_config():
     print('Check Root CA OpenSSL Config')
 
     root_ca_config = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca.ini')
-    root_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
+
-    root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')
 
     if not os.path.isfile(root_ca_config):
         print('Root CA OpenSSL configfile not exist. Creating...')
@@ -91,6 +109,7 @@ def create_openssl_config():
         root_ca_tmpl_var = {
             'organization_ou': config.get('openssl_config','organization_name') + ' CA',
             'default_cert_duration': config.get('openssl_config','default_cert_duration'),
+            'default_crl_duration' : config.get('openssl_config','default_crl_duration'),
             'pki_dir': TisPKI.pki_dir(),
             'country': config.get('openssl_config','country'),
             'state': config.get('openssl_config','state'),
@@ -105,33 +124,18 @@ def create_openssl_config():
             file.write(config_string)
         if os.path.isfile(root_ca_config):
             print('Root CA OpenSSL config file is correctly generated !')
-
-        if config.getboolean('openssl_config','create_intermediate'):
-            template_dir = os.path.join('templates')
-            jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
-            root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl')
-            root_ca_tmpl_var = {
-	            'organization_ou': config.get('openssl_config','organization_name') + ' CA',
-				'pki_dir':  TisPKI.pki_dir(),
-				'root_ca_keyfile': root_ca_keyfile,
-				'root_ca_certfile': TisPKI.root_ca_certfile(),
-                'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri')
-			}
-
-            config_string = root_ca_tmpl.render(root_ca_tmpl_var)
-            with open(root_ca_sign_intermediate,'wt') as file:
-                file.write(config_string)
-            if os.path.isfile(root_ca_sign_intermediate):
-                print('Root CA OpenSSL sign intermediate config file is correctly generated !')
     else:
         print('Root CA OpenSSL config already exist. Skip.')
+
     # Generate privkey and cert for Root CA
-    if not os.path.isfile(root_ca_keyfile) and not os.path.isfile(TisPKI.root_ca_certfile()):
+    if not os.path.isfile(TisPKI.root_ca_keyfile()) and not os.path.isfile(TisPKI.root_ca_certfile()):
-        print('Generate CA private key')
+        print('Generate Root CA private key')
-        gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {root_ca_keyfile} -out {TisPKI.root_ca_certfile()} -passout pass:calimero', shell=True, check=True, executable='/bin/bash')
+        gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {TisPKI.root_ca_keyfile()} -out {TisPKI.root_ca_certfile()}', shell=True, check=True, executable='/bin/bash')
 
         if gen_root_ca.returncode == 0:
-            print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash'))
+            print(f'Root CA Certfile is stored in {TisPKI.root_ca_certfile()}')
+            print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text', shell=True, check=True, executable='/bin/bash'))
+            input("Press Enter to continue...")
         else:
             print('Error on generating Root CA private key')
             sys.exit(1)
@@ -144,6 +148,29 @@ def create_openssl_intermediate():
     check_directories(TisPKI.pki_intermediate_dir())
     intermediate_ca_config = os.path.join(TisPKI.pki_intermediate_dir(),'config','create_intermediate_ca.ini')
     intermediate_ca_keyfile = os.path.join(TisPKI.pki_intermediate_dir(),'private','intermediate_ca.key')
+    crl_file = os.path.join(TisPKI.pki_intermediate_dir(),'crl','intermediate_ca.crl')
+    root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')
+
+    if not os.path.isfile(root_ca_sign_intermediate):
+        if TisPKI.intermediate_ca:
+            template_dir = os.path.join('templates')
+            jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
+            root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl')
+            root_ca_tmpl_var = {
+	            'organization_ou': config.get('openssl_config','organization_name') + ' CA',
+				'pki_dir':  TisPKI.pki_dir(),
+				'root_ca_keyfile': TisPKI.root_ca_keyfile(),
+				'root_ca_certfile': TisPKI.root_ca_certfile(),
+                'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri'),
+                'default_crl_duration' : config.get('openssl_config','default_crl_duration'),
+			}
+
+            config_string = root_ca_tmpl.render(root_ca_tmpl_var)
+            with open(root_ca_sign_intermediate,'wt') as file:
+                file.write(config_string)
+            if os.path.isfile(root_ca_sign_intermediate):
+                print('Root CA OpenSSL sign intermediate config file is correctly generated !')
+
     if not os.path.isfile(intermediate_ca_config):
         print('Intermediate CA OpenSSL configfile not exist. Creating...')
         template_dir = os.path.join('templates')
@@ -172,44 +199,63 @@ def create_openssl_intermediate():
         print('Sign Intermediate CA with Root CA')
         sign_intermediate_ca = subprocess.run(f"/usr/bin/openssl ca -config {os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')} -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in {TisPKI.intermediate_csr_path()}/intermediate_ca.csr -out {TisPKI.intermediate_ca_certfile()}", shell=True, check=True, executable='/bin/bash' )
         if sign_intermediate_ca.returncode == 0:
+            print(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile()}')
             print(subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash'))
+            input("Press Enter to continue...")
         else:
             print('Error on generating Intermediate CA private key')
             sys.exit(1)
     else:
         print('Intermediate CA private key and certificate already exist. Skip.')
 
+##    if not os.path.isfile(crl_file):
+##        print('Generate CRL')
+##        subprocess.run(f'openssl ca -config {intermediate_ca_config} -gencrl -out {crl_file}',shell=True)
+
 
 def generate_dc_certificate():
     dc_list = config.get('samba_ad','dc_list')
 
     for dc in dc_list.split(','):
-        dc_certfile = os.path.join(TisPKI.pki_dir(),'certs',f'{dc}.crt')
+        if TisPKI.intermediate_ca:
-        dc_keyfile = os.path.join(TisPKI.pki_dir(),'private',f'{dc}.key')
+            dc_certfile = os.path.join(TisPKI.intermediate_cert_path(),f'{dc}.crt')
-        dc_csrfile = os.path.join(TisPKI.pki_dir(),'csr',f'{dc}.csr')
+            dc_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),f'{dc}.key')
-        dc_openssl_configfile = os.path.join(TisPKI.pki_dir(),'config',f'openssl_{dc}.ini')
+            dc_csrfile = os.path.join(TisPKI.intermediate_csr_path(),f'{dc}.csr')
-        crl_file = os.path.join(TisPKI.pki_dir(),'crl','root_ca.crl')
+            dc_openssl_configfile = os.path.join(TisPKI.intermediate_config_path(),f'openssl_{dc}.ini')
-
+            crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl')
-        if config.getboolean('openssl_config','create_intermediate'):
+            dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key')
-            dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key')
+            dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt')
-            dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt')
+            crl_uri = config.get('openssl_config','intermediate_crl_uri')
+            pki_dir = TisPKI.pki_intermediate_dir()
         else:
-            dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
+            dc_certfile = os.path.join(TisPKI.cert_path(),f'{dc}.crt')
-            dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
+            dc_keyfile = os.path.join(TisPKI.keyout_path(),f'{dc}.key')
+            dc_csrfile = os.path.join(TisPKI.csr_path(),f'{dc}.csr')
+            dc_openssl_configfile = os.path.join(TisPKI.config_path(),f'openssl_{dc}.ini')
+            crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl')
+            dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key')
+            dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt')
+            crl_uri = config.get('openssl_config','crl_uri')
+            pki_dir = TisPKI.pki_dir()
 
         if not os.path.isfile(dc_certfile) and not os.path.isfile(dc_keyfile):
             print(f'Generate certificate for {dc}')
-            #dc_guid = subprocess.run(f'get_guid.sh {dc}',shell=True)
+            input("Press Enter to continue...")
-            dc_guid = '3375a41d7acaa545994ffe4d94bda8ce'
+            dc_guid = subprocess.run('/bin/bash get_guid.sh',shell=True, check=True, executable='/bin/bash')
-            print(dc_guid)
+            if dc_guid.returncode != 0:
+                print('Unable to find dc_guid')
+                sys.exit(1)
+            else:
+                dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh',shell=True).decode("utf-8")).strip()
+            print(str(dc_guid).strip())
             template_dir = ('templates')
             jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
             dc_tmpl = jinja_env.get_template('openssl_server_cert.tmpl')
             dc_tmpl_var = {
                 'dc_name': f"{dc}",
-                'dc_guid': dc_guid,
+                'dc_guid': str(dc_guid),
-                'crl_uri': config.get('openssl_config','crl_uri'),
+                'crl_uri': crl_uri,
-                'pki_dir': TisPKI.pki_dir(),
+                'pki_dir': pki_dir,
                 'default_cert_duration': config.get('openssl_config','default_cert_duration'),
                 'country': config.get('openssl_config','country'),
                 'state': config.get('openssl_config','state'),
@@ -228,7 +274,7 @@ def generate_dc_certificate():
                 print(f'{dc} OpenSSL configfile is correctly generated !')
 
             print(f'Generate private key and CSR for {dc}')
-            print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile} -passout pass:calimero" , shell=True, check=True, executable='/bin/bash'))
+            print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile}" , shell=True, check=True, executable='/bin/bash'))
 
             if os.path.isfile(dc_csrfile):
                 print(f'Sign certificate for {dc}')
@@ -238,30 +284,42 @@ def generate_dc_certificate():
                 print('Concatenation of DC and Root cert')
                 subprocess.run(f'cat {dc_certfile} {TisPKI.root_ca_certfile()} > {dc_certfile}_full',shell=True)
 
-        else:
-            print(f'{dc} private key and certificate already exist ! Revoke certificate before regenerate')
-    
-        print('Generate CRL')
-        subprocess.run(f'openssl ca -config {dc_openssl_configfile} -gencrl -out {crl_file}',shell=True)
-            
 
 def generate_user_certificate():
 
-    openssl_user_file = os.path.join(TisPKI.pki_dir(),'config','openssl_user.ini')
 
-    if config.getboolean('openssl_config','create_intermediate'):
+    default_bits_user = config.get('openssl_config','default_bits_user')
-        dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key')
+
-        dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt')
+    username = input('Enter username')
+
+    upn_suffix = config.get('samba_ad','upn_suffix')
+    upn = f'{username}@{upn_suffix}'
+
+    if TisPKI.intermediate_ca:
+        crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl')
+        dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key')
+        dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt')
+        crl_uri = config.get('openssl_config','intermediate_crl_uri')
+        pki_dir = TisPKI.pki_intermediate_dir()
+        openssl_user_file = os.path.join(TisPKI.intermediate_config_path(),'openssl_user.ini')
+        emailAddress = upn
+        commonName = username
     else:
-        dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
+        crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl')
-        dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
+        dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key')
+        dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt')
+        crl_uri = config.get('openssl_config','crl_uri')
+        pki_dir = TisPKI.pki_dir()
+        openssl_user_file = os.path.join(TisPKI.config_path(),'openssl_user.ini')
+        emailAddress = upn
+        commonName = username
 
     template_dir = ('templates')
     jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
     user_tmpl = jinja_env.get_template('openssl_user_cert.tmpl')
     user_tmpl_var = {
-                'crl_uri': config.get('openssl_config','crl_uri'),
+                'crl_uri': crl_uri,
-                'pki_dir': TisPKI.pki_dir(),
+                'pki_dir': pki_dir,
                 'default_cert_duration': config.get('openssl_config','default_cert_duration'),
                 'country': config.get('openssl_config','country'),
                 'state': config.get('openssl_config','state'),
@@ -269,7 +327,11 @@ def generate_user_certificate():
                 'organization_name': config.get('openssl_config','organization_name'),
                 'organization_ou': config.get('openssl_config','organization_ou'),
                 'dc_ca_keyfile': dc_ca_keyfile,
-                'dc_ca_certfile': dc_ca_certfile
+                'dc_ca_certfile': dc_ca_certfile,
+                'default_bits_user': config.get('openssl_config','default_bits_user'),
+                'emailAddress' : emailAddress,
+                'commonName' : commonName
+
     }
 
     config_string = user_tmpl.render(user_tmpl_var)
@@ -280,13 +342,10 @@ def generate_user_certificate():
     	print(f'User OpenSSL configfile is correctly generated !')
 
 
-    print('Enter username')
 
-    username = input()
-    upn = f'{username}@infolix.lan'
 
     print(f'Generate private key for {upn}')
-    print(subprocess.run(f"openssl req -new -newkey rsa:4096 -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash'))
+    print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash'))
 
     print(f'Sign certificate')
     print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.csr_path()}/{username}.csr -out {TisPKI.cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash'))