Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to specify CA private key password for client certificate creation using OpenSSL

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.

I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?

So far, I have ...

openssl x509
  -req
  -in client.csr
  -signkey client.key
  -passin pass:clientPK
  -CA client-ca.crt
  -CAkey client-ca.key 
  -CAkeypassin pass:client-caPK <-- does not work
  -CAcreateserial
  -out client.crt
  -days 365

See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.

Corrected

Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.

openssl x509
  -req
  -in client.csr
  -CA client-ca.crt
  -CAkey client-ca.key 
  -passin pass:CAPKPassword
  -CAcreateserial
  -out client.crt
  -days 365
like image 697
Dio F Avatar asked May 24 '15 17:05

Dio F


People also ask

How do I connect private key to certificate?

Assign the existing private key to a new certificateSelect Start, select Run, type mmc, and then select OK. On the File menu, select Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, select Add. Select Certificates, and then select Add.


1 Answers

Use -passin pass as shown below.

 openssl x509
      -req
      -in client.csr
      -signkey client.key
      -passin pass:clientPK
      -CA client-ca.crt
      -CAkey client-ca.key 
      -passin pass:secret <-- try this
      -CAcreateserial
      -out client.crt
      -days 365
like image 143
Prabhu Avatar answered Oct 24 '22 05:10

Prabhu