2

I need to pass the password via the command line during the exporting in a bash script.

IBM has this on their website

openssl pkcs12 -export -in "$pem" -inkey "$key" -out "$pfx" -passout pass:pkcs12 "$pfxpass";

The above does not work for me.

The command below works but then you are prompted to enter and reenter a password.

openssl pkcs12 -export -in "$pem" -inkey "$key" -out "$pfx";

How can this be scripted?

Curious Sam
  • 317
  • 2
  • 5
  • 15
  • Why doesn't it work? – Michael Hampton Feb 27 '18 at 23:56
  • Do you get an error message? What OS and OpenSSL version is this? – Andrew Feb 28 '18 at 00:05
  • `root@pl /home/remove # openssl pkcs12 -export -in me.pem -inkey me.key -out me.pfx -passout pass:pkcs12 uberpassword Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name ` OpenSSL 1.0.2g 1 Mar 2016 on Ubuntu 16.04 – Curious Sam Feb 28 '18 at 04:05
  • I don't understand this part: `-passout pass:pkcs12 "$pfxpass"`. `-passout pass:pkcs12` will use `pkcs12` as the password, the rest will be treated as another parameter and probably cause the command to fail. I personally recommend not using `pass:...` and set the password into an environment variable and then `-passout env:varname`. – Ondřej Xicht Světlík Apr 09 '18 at 12:52

1 Answers1

6

You need to use the -passin in your command, due to the key you've used in the -inkey needs a password. Also, the exported pkcs12 file will need a password, so you need to use -passout as well. So, assuming you'll use the same password for the imported an exported keys, you should use this command.

openssl pkcs12 \
  -export \
  -in "$pem" -inkey "$key" -passin pass:"$pfxpass" \
  -passout pass:"$pfxpass" -out "$pfx"

Hope it helps!

Viktor Csomor
  • 61
  • 1
  • 2