52

What I am trying to do is, create a CSR and with a private key that is password protected (the key).

In OpenSSL I can create a private key with a password like so: 

openssl genrsa -des3 -out privkey.pem 2048

Is there some way I can use the key I just created and generate a CSR using the key?

If not is there some way I can generate a CSR along with a PASSWORD PROTECTED private key?

jww
  • 97,681
  • 90
  • 411
  • 885
boyco
  • 557
  • 1
  • 5
  • 9

2 Answers2

85

This is the second example from the documentation of OpenSSL req:

Create a private key and then generate a certificate request from it:

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem

Note that, if you do this directly with req (see 3rd example), if you don't use the -nodes option, your private key will also be encrypted:

openssl req -newkey rsa:2048 -keyout key.pem -out req.pem

(Despite what the documentation says, it's not exactly the same as the second example, since it doesn't use -des3, but you would have done so anyway.)

mwfearnley
  • 3,303
  • 2
  • 34
  • 35
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 23
    '''openssl req -new -key key.pem -out req.pem''' is quite useful when you're renewing your certificate. – AbiusX Feb 15 '13 at 15:10
  • 3
    To help me keep things straight I use the following naming convention: `.key`, `.csr` and `.crt` and `.pem` extension for chains and such which I adopted from [The Most Common OpenSSL Commands](http://www.sslshopper.com/article-most-common-openssl-commands.html). – Daniel Sokolowski Dec 12 '13 at 03:55
  • As @DanielSokolowski pointed out, although the OpenSSL documentation I quoted uses 1024-bit keys, it's certainly worth using larger keys nowadays (e.g. 2048 or above). – Bruno Dec 12 '13 at 11:38
2

A password protected key means the private key was encrypted. Herein, 'key' refers to private keys. When using a key, like when creating a certificate signing request (CSR), if the key was encrypted expect to be prompted for the password.

Create a CSR from an existing encrypted private -key. After the password prompt, depending on the openssl configuration file, you may be prompted to specify the distinguished name (DN) of the future certificate. Option -new refers to the CSR:

    openssl req -key a.key -new -out a.csr

It should be stated that creating a CSR from an existing key is not typical. Key creation is easy and low cost, and newer keys may be more secure. So the usual scenario when creating a CSR is to create a new private key.

Update for openssl version 3.0 (circa 2022)

genrsa was deprecated; replaced by genpkey. Also, encryption with AES128 was preferable to 3DES, for both security and performance. To create a new -aes-128-cbc encrypted key: :

    openssl genpkey -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out a.key

Then, as above, use it to create a new CSR.

Or in one step, create a new 3DES encrypted RSA key + CSR:

    openssl req -newkey rsa:2048 -keyout a.key -out a.csr

Confirm what was created by the above commands. Configuration file(s) may have played a role in the commands, because not all options were used on the command line.

    openssl rsa -in a.key -text -noout          # key bits & primes used, prompts if encrypted
    openssl asn1parse -in a.key -i -dlimit 16   # encryption cipher used
    openssl req -in a.csr -text -noout -verify  # subject, pub key & signature algorithms, V3 extensions
DWB
  • 341
  • 3
  • 6