13

I'm following Heroku's documentation to generate a private key for an SSL certificate.

When I execute the command openssl genrsa -des3 -out server.pass.key 2048, I get the following result:

$ openssl genrsa -des3 -out server.pass.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................+++
..................................................+++

I can't get to the prompt where I'm supposed to enter the passphrase for the keys.

I don't understand why OpenSSL fails to complete. I've generated keys without triple DES, so I guess the error is in the encryption. How can I get this solved?

jww
  • 97,681
  • 90
  • 411
  • 885
akis
  • 146
  • 1
  • 9
  • You also seem to be missing the `e is 65537 (0x10001)` output. You should probably ask on a site more appropriate to running commands, like [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/). Stack Overflow's niche is programming and development questions, and questions would ask about API calls like `RSA_generate_key_ex`. – jww Aug 16 '16 at 21:36
  • That documentation looks a bit odd — it has you generate an encrypted private key, only to have you strip the encryption in the very next step and never use the encrypted version again. As a work around I guess you could just create an unencrypted key directly and use that. – matt Aug 17 '16 at 01:44

2 Answers2

15

I saw this exact symptom in a Git for Windows shell. It might be that it gets stuck trying to ask for a password but can't. So as suggested here I added -passout pass:MyPassword and it worked.

CrazyPyro
  • 3,257
  • 3
  • 30
  • 39
  • Can you show the full command? I tried adding it at the end but then I get "Unable to load private key". `openssl genrsa -des3 -out server.key 2048 -passout pass:MyPassword `openssl req -new -key server.key -out server.csr `openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt `cp server.key server.key.copy `openssl rsa -in server.key.copy -out server.key `rm server.key.copy – David Klempfner Apr 06 '21 at 00:43
  • 1
    Worked for me! Hint: The passout attribute is not allowed to be appended at the end of the string, but has to be in front of the number at the end of the string: `openssl genrsa -aes128 -passout file:passphrase.txt 3072` Source: https://stackoverflow.com/a/4300425/268066 – devbf Apr 14 '23 at 09:11
1

Another approach is to run openssl behind winpty (assuming you're within the MINGW64's mintty window), like so:

$ winpty openssl genrsa -des3 -out server.pass.key 2048
Generating a RSA private key
....++++
....++++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
(etc)

Whereas without winpty it gets stuck:

enter image description here

Dai
  • 141,631
  • 28
  • 261
  • 374