How to provide a CA private key password to create a client certificate using OpenSSL

Question

How to provide a CA private key password to create a client certificate using OpenSSL

I am creating a command line script to generate a client certificate using the "mini CA" function of OpenSSL.

I have a CA certificate and a CA private key encrypted with a password . With these things, I am trying to create a client certificate and stumbled upon the command line syntax. How do I provide a password for the CA private key?

So far I have had ...

openssl x509
  -req
  -in client.csr
  -signkey client.key
  -passin pass:clientPK
  -CA client-ca.crt
  -CAkey client-ca.key 
  -CAkeypassin pass:client-caPK <-- does not work
  -CAcreateserial
  -out client.crt
  -days 365

See highlighted option. I am expecting something like this, but I cannot find it anywhere in the docs.

Corrected

For records only. The parameter is -signkey

used for self-signed certificates. CAs do not have access to the client's private key and therefore will not use this. Instead, the parameter -passin

refers to the CA's private key.

openssl x509
  -req
  -in client.csr
  -CA client-ca.crt
  -CAkey client-ca.key 
  -passin pass:CAPKPassword
  -CAcreateserial
  -out client.crt
  -days 365

+3

command-line openssl ca x509

Dio F May 24 '15 at 17:59

source to share

1 answer

Prabhu · Accepted Answer · 2015-05-24T19:12:10+0000

Use -passin pass

as shown below.

 openssl x509
      -req
      -in client.csr
      -signkey client.key
      -passin pass:clientPK
      -CA client-ca.crt
      -CAkey client-ca.key 
      -passin pass:secret <-- try this
      -CAcreateserial
      -out client.crt
      -days 365

How to provide a CA private key password to create a client certificate using OpenSSL

Corrected

More articles: