57

I would like some help with the openssl command. I need to automate the retrieval of the subject= line in a pkcs12 certificate for a script I'm working on.

I've used openssl to view the contents of the Identity/Certificate:

openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx

But I am prompted three times for the password. I used -passin to eliminate one of the password prompts, but I am still being prompted for the PEM pass phrase and verification entry.
I need to figure out a way to pass ${password} to the other two password challenges or have the scrip issue a ctl-c. The piece of info I need is outputted to the stdout before the second password prompt.

Any help would be appreciated!

Obviously I gutted the certificate output for this post.... but you should get the idea of what I'm seeing:

bash-3.2#  openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx -passin pass:${password}
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: ****
    friendlyName: ****
subject=****
issuer=****
-----BEGIN CERTIFICATE-----
::HASH REMOVED::
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: ****
Bag Attributes
    localKeyID: **** 
    friendlyName: ****
Key Attributes: <No Attributes>

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: 

::HASH REMOVED::
-----END RSA PRIVATE KEY-----
bash-3.2#
Sonic84
  • 931
  • 1
  • 10
  • 16
  • Probably you should post an example .pfx/.p12 file for your case. Also, consider using options like `-clcerts`, `-nokeys`, `-password`. Also try `openssl pkcs12 -help`. – abbot Dec 14 '11 at 08:03
  • openssl pkcs12 -nokeys -in /Users/[User]/Desktop/ID.pfx -passin pass:${password} did the trick. Thank you for pointing me in the right direction! – Sonic84 Dec 16 '11 at 15:44
  • 2
    please be aware that OSX and Linux other users can see your command line arguments, including the password after `-passin pass:...` – Andre Holzner Oct 11 '18 at 09:28

4 Answers4

70

Try this:

$ openssl pkcs12 -in ~/cert.p12 -nodes \
    -passin pass:"my password" | openssl x509 -noout -subject

Or this for the common name (ruby to strip trailing whitespace):

$ openssl pkcs12 -in ~/cert.p12 -nodes \
    -passin pass:"my password" | openssl x509 -noout -subject \
    | awk -F'[=/]' '{print $6}'`.strip`
slm
  • 15,396
  • 12
  • 109
  • 124
Alfie Hanssen
  • 16,964
  • 12
  • 68
  • 74
  • 3
    please be aware that on OSX and Linux and similar platforms other users can see your command line arguments, including the password after `-passin pass:...` – Andre Holzner Oct 11 '18 at 09:29
14

Copying answer here in order to remove this question from the "Unanswered" filter:

openssl pkcs12 -nokeys -in /Users/[User]/Desktop/ID.pfx -passin pass:${password}
rbrito
  • 2,398
  • 2
  • 21
  • 24
DreadPirateShawn
  • 8,164
  • 4
  • 49
  • 71
6

You could also use -passin and -passout which would not prompt you again for manual input. Here is a sample code:

openssl pkcs12 -in seldpush_dev.p12 -passin pass:$password -passout pass:$password | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -subject -noout

Basically, use -keyword to fetch that value. In your case, -subject.

jww
  • 97,681
  • 90
  • 411
  • 885
Ajay. A
  • 61
  • 1
  • 5
-1

This is a few years late; I'm not familiar with openssl, & etc; but since I see no reference to "-nokeys" I'll give what works for me.

echo -e "$password\n$passphrase\n$passphrase\n" \
| openssl pkcs12 -in /Users/[user]/Desktop/ID.pfx -passin stdin -passout stdin

from manpage

stdin     read the password from standard input.
acornblue
  • 1
  • 2