Generate CSR and private key with password with OpenSSL

Ditch "-nodes"

If you actually WANT encryption, then you'll need to remove the (awkwardly named) -nodes (read: "No DES encryption") parameter from your command.

Because -nodes will result in an unencrypted privkey.pem file. And if you leave it out, then the file will be encrypted.

So without -nodes openssl will just PROMPT you for a password like so:

$ openssl req -new -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a RSA private key
.........................................+++++
................+++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

But interactive prompting is not great for automation. So if you don't want to be prompted then you might want to read on for how to use "Pass Phrase arguments".

Use OpenSSL "Pass Phrase arguments"

If you want to supply a password for the output-file, you will need the (also awkwardly named) -passout parameter.

This is a multi-dimensional parameter and allows you to read the actual password from a number of sources. Such as from a file or from an environment variable. Or straight from the command line (least secure). Below are examples for each of these usages.

(The official manpage lists even more password-sources in the "Pass Phrase Options" section (Archived here.))

Example: password from command line with "pass:"

$ openssl req -new -passout pass:"Pomegranate" -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
................................................................................................................................+++
......................+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Pomegranate' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsSP5kLRPP8wPODrnvuAeeoqGMqTOvRULL423vv6+zjYhwPUi

Example: password from variable with "env:"

$ export MYPASS='Elderberry'


$ openssl req -new -passout env:MYPASS -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
............................+++
.....................+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Elderberry' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAv0NnBnigPp+O9G4UXc0qSyeELdJJjTmnO9GEtE5GlPGoK7vW

Example: password from file with "file:"

$ echo "Farkleberry" > password.txt


$ openssl req -new -passout file:password.txt -subj "/CN=sample.myhost.com" -out newcsr.csr -sha512 -newkey rsa:2048
Generating a 2048 bit RSA private key
......................+++
...........+++
writing new private key to 'privkey.pem'
-----


$ openssl rsa -in privkey.pem -passin pass:'Farkleberry' | head -n2
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsHICgYvqe4i9CIR5eQk38JJmuTaJQvyxPH9S+BahT5XWh88z

Related Reading

  • https://stackoverflow.com/questions/4294689/how-to-generate-an-openssl-key-using-a-passphrase-from-the-command-line

You can update the key with a password with the following command:

openssl rsa -des3 -in server.key -out server.key.new

Then use mv server.key.new server.key to ovewrite the old key.

Tags:

Openssl

Cryptography

Pem

Certificates

Recent Posts