16

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.

I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?

So far, I have ...

openssl x509
  -req
  -in client.csr
  -signkey client.key
  -passin pass:clientPK
  -CA client-ca.crt
  -CAkey client-ca.key 
  -CAkeypassin pass:client-caPK <-- does not work
  -CAcreateserial
  -out client.crt
  -days 365

See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.

Corrected

Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.

openssl x509
  -req
  -in client.csr
  -CA client-ca.crt
  -CAkey client-ca.key 
  -passin pass:CAPKPassword
  -CAcreateserial
  -out client.crt
  -days 365
Dio F
  • 2,458
  • 1
  • 22
  • 39
  • 2
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww May 25 '15 at 00:45
  • Yep... Voted to close and migrate to SuperUser. – Dio F May 25 '15 at 16:16
  • 3
    Yeah, writing openssl commands isn't actually programming -it just feels like it. – mwfearnley Feb 17 '21 at 15:31

1 Answers1

22

Use -passin pass as shown below. 

 openssl x509
      -req
      -in client.csr
      -signkey client.key
      -passin pass:clientPK
      -CA client-ca.crt
      -CAkey client-ca.key 
      -passin pass:secret <-- try this
      -CAcreateserial
      -out client.crt
      -days 365
Prabhu
  • 3,443
  • 15
  • 26
  • You are right. I made a mistake by adding the `-signkey` parameter and so the password that is already in there marked with `-passin` parameter refers to the client's private key - which is actually not available for the CA. – Dio F May 25 '15 at 16:08
  • 1
    what's the meaning of each part of "passin" parameter ? What is "pass" and what is "secret" ? – expert Mar 28 '16 at 15:34
  • 1
    Verbatim "pass" means password is given in command line and secret should be substituted with actual password. There are options to supply password with file/fd, see `man openssl` for details. – reddot Apr 04 '16 at 14:35
  • 2
    Is it normal/intended to have the "passin" argument present several times? Isn't the first one simply replaced by the second one? – Jaroslav Záruba Aug 19 '19 at 11:44