Generate CSR and private key with password with OpenSSL

  • I am using the following command in order to generate a CSR together with a private key by using OpenSSL:

    openssl req -new -subj "/CN=sample.myhost.com" -out newcsr.csr -nodes -sha512 -newkey rsa:2048
    

    It generates two files:

    • newcsr.csr
    • privkey.pem

    The generated private key has no password: how can I add one during the generation process?

    Note: take into account that my final goal is to generate a p12 file by combining the certificate provided according to the CSR and the private key (secured with a password).

  • Ditch "-nodes"

    If you actually WANT encryption, then you'll need to remove the (awkwardly named) -nodes (read: "No DES encryption") parameter from your command.

    Because -nodes will result in an unencrypted privkey.pem file. And if you leave it out, then the file will be encrypted.

    So without -nodes openssl will just PROMPT you for a password like so:

    $ openssl req -new -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
    Generating a RSA private key
    .........................................+++++
    ................+++++
    writing new private key to 'privkey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    

    But interactive prompting is not great for automation. So if you don't want to be prompted then you might want to read on for how to use "Pass Phrase arguments".

    Use OpenSSL "Pass Phrase arguments"

    If you want to supply a password for the output-file, you will need the (also awkwardly named) -passout parameter.

    This is a multi-dimensional parameter and allows you to read the actual password from a number of sources. Such as from a file or from an environment variable. Or straight from the command line (least secure). Below are examples for each of these usages.

    (The official manpage lists even more password-sources in the "Pass Phrase Options" section (Archived here.))

    Example: password from command line with "pass:"

    $ openssl req -new -passout pass:"Pomegranate" -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
    Generating a 2048 bit RSA private key
    ................................................................................................................................+++
    ......................+++
    writing new private key to 'privkey.pem'
    -----
    
    
    $ openssl rsa -in privkey.pem -passin pass:'Pomegranate' | head -n2
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpQIBAAKCAQEAsSP5kLRPP8wPODrnvuAeeoqGMqTOvRULL423vv6+zjYhwPUi
    

    Example: password from variable with "env:"

    $ export MYPASS='Elderberry'
    
    
    $ openssl req -new -passout env:MYPASS -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
    Generating a 2048 bit RSA private key
    ............................+++
    .....................+++
    writing new private key to 'privkey.pem'
    -----
    
    
    $ openssl rsa -in privkey.pem -passin pass:'Elderberry' | head -n2
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpQIBAAKCAQEAv0NnBnigPp+O9G4UXc0qSyeELdJJjTmnO9GEtE5GlPGoK7vW
    

    Example: password from file with "file:"

    $ echo "Farkleberry" > password.txt
    
    
    $ openssl req -new -passout file:password.txt -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
    Generating a 2048 bit RSA private key
    ......................+++
    ...........+++
    writing new private key to 'privkey.pem'
    -----
    
    
    $ openssl rsa -in privkey.pem -passin pass:'Farkleberry' | head -n2
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAsHICgYvqe4i9CIR5eQk38JJmuTaJQvyxPH9S+BahT5XWh88z
    

    Related Reading

    LOL, so that's what **nodes** stands for. Guessing that option preceded both **asn1-kludge** and **set_serial**

    Whether password will or will not be asked for depends on some config options in the defaults somewhere. To force it you have to select the cipher. Unfortunately I didn't yet see any discussion of which to choose, all examples simply blindly throw in `-des3`.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM