Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
Related
I am needing to automate the generation of self signed SSL certificates for testing purposes for a project. I am generating a certificate and key using the following OpenSSL command:
> openssl req -x509 -newkey rsa:2048 -keyout myserver.key -out myserver.crt -subj "/C=US/ST=California/L=San Diego/O=Development/OU=Dev/CN=example.com"
During generation you are prompted to create a PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
How can I automate this? I have tried the -passin argument like this:
openssl ...... -passin pass:foobar .....
also
openssl ...... -passin file:secretfile.txt .....
But in both cases it still asks for to create a PEM pass phrase. From what I read I think that passin is only adding a password to the key file...
Is it possible to automate this somehow?
The process creates a password protected key file. It thus needs a password which gets used to store this output file. But the -passin argument you use is for reading an input file. From the documentation:
-passin arg - the input file password source
Instead you need the proper option to specify the output password, i.e.
-passout arg - the output file password source
I have a piece of embedded software generating P12/PFX formatted output data.
The PFX is not password protected, that means instead of using a password-derived encryption/mac key the data is encrypted with a public key and signed with my private key.
In RFC7292 section 3.1 this is called public-key privacy and integrity modes.
My question is, how can I validate the PFX I receive, e.g. using openssl? (I'm not restricted to use openssl, by the way I google'd around but could not find a way...)
I tried
openssl pkcs12 -info -in test.pfx
but openssl requests a password, which is not applicable here. Did I miss any option to not being asked for a password?
openssl pkcs12 -info -in test.pfx -passin pass: -passout pass:
Alternatively, you can just use
openssl pkcs12 -info -in test.pfx
and when it asks for Import Password or PEM Pass Phrase (and you didn't use any while generating the pfx file), just press Enter.
openssl pkcs12 -in keyStoreWithoutPW.p12 -info -passin pass: -passout pass:
I'm following Heroku's documentation to generate a private key for an SSL certificate.
When I execute the command openssl genrsa -des3 -out server.pass.key 2048, I get the following result:
$ openssl genrsa -des3 -out server.pass.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................+++
..................................................+++
I can't get to the prompt where I'm supposed to enter the passphrase for the keys.
I don't understand why OpenSSL fails to complete. I've generated keys without triple DES, so I guess the error is in the encryption. How can I get this solved?
I saw this exact symptom in a Git for Windows shell.
It might be that it gets stuck trying to ask for a password but can't.
So as suggested here I added -passout pass:MyPassword and it worked.
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12
I have this command:
openssl genrsa -des3 -out host.key 1024
It asks me for a password, and I want to automate it! How I can make it read the password from a text file (host.pass) so it will not ask me, or have it ignore the password? Which approach is better?
Have a look at the manpage of openssl and genrsa. According to these you can use the option -passout file:host.pass.
By omimtting -des3 you won't be prompted for a passphrase (i.e. the key will not be encrypted).