26

I am using the following command in order to generate a CSR together with a private key by using OpenSSL:

openssl req -new -subj "/CN=sample.myhost.com" -out newcsr.csr -nodes -sha512 -newkey rsa:2048

It generates two files:

  • newcsr.csr
  • privkey.pem

The generated private key has no password: how can I add one during the generation process?

Note: take into account that my final goal is to generate a p12 file by combining the certificate provided according to the CSR and the private key (secured with a password).

vdenotaris
  • 363
  • 1
  • 3
  • 6

2 Answers2

44

Ditch "-nodes"

If you actually WANT encryption, then you'll need to remove the (awkwardly named) -nodes (read: "No DES encryption") parameter from your command.

Because -nodes will result in an unencrypted privkey.pem file. And if you leave it out, then the file will be encrypted.

So without -nodes openssl will just PROMPT you for a password like so:

$ openssl req -new -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a RSA private key
.........................................+++++
................+++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

But interactive prompting is not great for automation. So if you don't want to be prompted then you might want to read on for how to use "Pass Phrase arguments".

Use OpenSSL "Pass Phrase arguments"

If you want to supply a password for the output-file, you will need the (also awkwardly named) -passout parameter.

This is a multi-dimensional parameter and allows you to read the actual password from a number of sources. Such as from a file or from an environment variable. Or straight from the command line (least secure). Below are examples for each of these usages.

(The official manpage lists even more password-sources in the "Pass Phrase Options" section (Archived here.))

Example: password from command line with "pass:"

$ openssl req -new -passout pass:"Pomegranate" -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
................................................................................................................................+++
......................+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Pomegranate' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsSP5kLRPP8wPODrnvuAeeoqGMqTOvRULL423vv6+zjYhwPUi

Example: password from variable with "env:"

$ export MYPASS='Elderberry'


$ openssl req -new -passout env:MYPASS -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
............................+++
.....................+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Elderberry' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAv0NnBnigPp+O9G4UXc0qSyeELdJJjTmnO9GEtE5GlPGoK7vW

Example: password from file with "file:"

$ echo "Farkleberry" > password.txt


$ openssl req -new -passout file:password.txt -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
......................+++
...........+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Farkleberry' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsHICgYvqe4i9CIR5eQk38JJmuTaJQvyxPH9S+BahT5XWh88z

Related Reading

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • 1
    LOL, so that's what **nodes** stands for. Guessing that option preceded both **asn1-kludge** and **set_serial** – bvj Apr 01 '19 at 18:37
  • Whether password will or will not be asked for depends on some config options in the defaults somewhere. To force it you have to select the cipher. Unfortunately I didn't yet see any discussion of which to choose, all examples simply blindly throw in `-des3`. – Jan Hudec Nov 24 '20 at 21:31
4

You can update the key with a password with the following command:

openssl rsa -des3 -in server.key -out server.key.new

Then use mv server.key.new server.key to ovewrite the old key.

BadSkillz
  • 4,404
  • 24
  • 29