0

I have created a x509 certificate. There is a set of openssl commands I used to create it, for example the first command it:

openssl genrsa -passout pass:"$MYPWD" -out privkey.key 2048

where "$MYPWD" is an environment variable where I set the password. After executing this command, how would I check that the password is actually the value of MYPWD environment variable, and not just literally "$MYPWD"?

Thank you everyone in advance!

Mary
  • 131
  • 2
  • 10
  • Try to do anything with the private key, such as a signing operation. If you don't get asked the password then something is wrong. You can check if the variable exists using `if -z`, see [here](https://stackoverflow.com/a/13864829/589259). – Maarten Bodewes Jun 06 '22 at 15:04
  • 1
    Although you may have also created a certificate, _this_ creates a privatekey _not_ a certificate. In OpenSSL certificates never have passwords; privatekeys _sometimes_ do, but this case (`genrsa` with `-passout` without a cipher-algorithm name) does _not_ encrypt, so there is _no_ password. You can see if an OpenSSL privatekey PEM file is encrypted by looking at the first line(s): `-----BEGIN PRIVATE KEY-----` is unencrypted, and `-----BEGIN RSA PRIVATE KEY-----` followed immediately by base64 (no `Proc-type:` and `DEK-info:`) is unencrypted. This is not programming or development. – dave_thompson_085 Jun 06 '22 at 15:10
  • 2
    @MaartenBodewes: even _reading_ with `openssl rsa -in file` or `openssl pkey -in file` is enough to see if the password is prompted for, and if so what value works. – dave_thompson_085 Jun 06 '22 at 15:16

1 Answers1

1

You must specify a cypher to encrypt the output.

openssl genrsa -aes256 -passout env:MYPWD -out privkey.key 2048

To verify that the password was actually set, simply read back the key:

openssl pkey -in privkey.key

You will see the password prompt.

You can also inspect the content of the privkey.key, "ENCRYPTED"... will be there.

cat privkey.key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3A2E02985A117F7266F9664420F685B2

...
Anton
  • 351
  • 3
  • 3
  • 1
    True in general but OP is using 'git-bash' (part of git-for-Windows which is really mingw64 with mintty) and for some reason openssl's password prompting doesn't work there; see https://stackoverflow.com/questions/72524858/generating-x509-certificate-bash-getting-stuck-and-not-doing-showing-anything . And even though using a tool that was packaged alongside git, this isn't programming or development. Looking at PEM headers will verify it's encrypted but not what the password is. – dave_thompson_085 Jun 07 '22 at 20:00