opensslcertificatepempfxpkcs#12

openssl: how to convert pfx into pem in a script


I can successfully convert a pfx into a pem if I run openssl pkcs12 -in cert.pfx -out cert.pem -password pass:mypass. I will be prompted though to enter the PEM passphrase so the private key is encrypted inside the .pem file.

But in a script, how do I automatically enter the PEM passphrase? I tried using -passin argument but it had no effect.

I´m guessing that if I concatenate the PEM cert and the PEM key individually (not from the pfx) it would be equivalent to converting from pfx to pem, but the PEM file that comes from the PFX has those Bag Attributes outside the the base64 string and I don´t know if that matters or not.

So, how do I properly "create" a PEM file, with encrypted private key, without being prompted form passphrases?


Solution

  • If you check out the openssl pkcs12 documentation you will see:

    -passin arg

    The PKCS#12 file (i.e. input file) password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

    -passout arg

    Pass phrase source to encrypt any outputted private keys with. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

    Which points you to:

    Pass Phrase Options

    Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.

    Note that character encoding may be relevant, please see passphrase-encoding(7).

    pass:password

    The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var

    Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname

    The first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number

    Read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin

    Read the password from standard input.

    So to put it all together you can do:

    openssl pkcs12 -in cert.pfx -out cert.pem -passin pass:mypass -passout pass:mypass
    

    As to why the -password does not work for you:

    -password arg

    With -export, -password is equivalent to -passout. Otherwise, -password is equivalent to -passin.

    So since you are not using "-export" it's only acting as the the same as the "-passin" option. Because of this behaviour, I like to explicitly use "-passin" and "-passout" instead.