We are using the nopass argument because we want to start the OpenVPN server without a password input. Also in this example, we are using server1 as a server name (entity) identifier. If you choose a different name for your server don’t forget to adjust the instructions below where the server name is used. I created a CA with EasyRSA 3.0 on a Centos7. Everything is working fine with interactive mode. Then I updated the vars file to allow batch creation of req, key and cert for vpn clients. It works perfectly without prompting, but there is one issue, all the req/certs have the same CN=ChangeMe.
First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something 'good enough' to keep casual hackers at bay.
Second - how do I generate a key pair form the command line, supplying the passphrase on the command line?
I finally got it working using these commands, using exec() which it is generally reckoned not safe to use, being better to give the PassPhrase in a file. I can accept this risk as I am sure that the PHP will only ever be executed on my PC (which runs windows & doesn't have a PS command).
Many many thanks to @caf, without whom this would not have been possible.
Only one regret - that, no matter how much I Google, no one can seem to get openssl_pkey_new()
working with Xampp on Windows (which is the proper way to generate a key pair)
2 Answers
If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.
You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar
):
However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.
A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:
Or supply the passphrase on standard input:
You can also used a named pipe with the file:
option, or a file descriptor.
To then obtain the matching public key, you need to use openssl rsa
, supplying the same passphrase with the -passin
parameter as was used to encrypt the private key:
(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>
).
Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar
:
genrsa
has been replaced by genpkey
& when run manually in a terminal it will prompt for a password:
However when run from a script the command will not ask for a password so to avoid the password being viewable as a process use a function in a shell
script:
Not the answer you're looking for? Browse other questions tagged openssl or ask your own question.
I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes.
When i enter the above command, it says
If i do not enter the pass phrse, im getting the below error
Is it possible to generate a RSA key without giving pass phrase
, since I am not sure how the /etc/init.d/httpd
script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).
6 Answers
If you are generating a self signed cert, you can do both the key and cert in one command like so:
Oh, and what @MadHatter said in his answer about omitting the -des3
flag.
Leave off the -des3
flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn't a new key at all - it's exactly the same as server.key, only with the passphrase changed/stripped off).
The openssl req
command from the answer by @Tom H is correct to create a self-signed certificate in server.cert
incl. a password-less RSA private key in server.key
:
Here is how it works. Omitting -des3
as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa
('convert a private key') command referred to by @MadHatter and the openssl genrsa
('create a private key') command. Just not for for the openssl req
command here. We additionally need -nodes
('No DES encryption of server.key
please!').
Use the -nodes
parameter, if this option is specified then the private key will not be encrypted, e.g.:
Just run it again through openssl
first generate the key with the passphrase
then openssl rsa -in server.key -out server.key
Use the next command to generate password-less private key file with NO encryption. The last parameter is the size of the private key.