I can successfully convert a pfx into a pem if I run openssl pkcs12 -in cert.pfx -out cert.pem -password pass:mypass. I will be prompted though to enter the PEM passphrase so the private key is encrypted inside the .pem file.
But in a script, how do I automatically enter the PEM passphrase? I tried using -passin argument but it had no effect.
I´m guessing that if I concatenate the PEM cert and the PEM key individually (not from the pfx) it would be equivalent to converting from pfx to pem, but the PEM file that comes from the PFX has those Bag Attributes outside the the base64 string and I don´t know if that matters or not.
So, how do I properly "create" a PEM file, with encrypted private key, without being prompted form passphrases?
If you check out the openssl pkcs12 documentation you will see:
-passin arg
The PKCS#12 file (i.e. input file) password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
-passout arg
Pass phrase source to encrypt any outputted private keys with. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
Which points you to:
Pass Phrase Options
Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.
Note that character encoding may be relevant, please see passphrase-encoding(7).
pass:password
The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var
Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname
The first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number
Read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin
Read the password from standard input.
So to put it all together you can do:
openssl pkcs12 -in cert.pfx -out cert.pem -passin pass:mypass -passout pass:mypass
As to why the -password does not work for you:
-password arg
With -export, -password is equivalent to -passout. Otherwise, -password is equivalent to -passin.
So since you are not using "-export" it's only acting as the the same as the "-passin" option. Because of this behaviour, I like to explicitly use "-passin" and "-passout" instead.