如何为使用OpenSSL创建客户端证书指定CA私钥密码 [英] How to specify CA private key password for client certificate creation using OpenSSL

问题描述

我正在构建一个命令行脚本，以使用OpenSSL的迷你CA"功能创建客户端证书.

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.

我有一个 CA证书和使用密码加密的CA私钥.有了这些东西，我试图创建客户端证书并且偶然发现了命令行语法. 如何为CA的私钥指定密码?

I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?

到目前为止，我有...

So far, I have ...

openssl x509
  -req
  -in client.csr
  -signkey client.key
  -passin pass:clientPK
  -CA client-ca.crt
  -CAkey client-ca.key 
  -CAkeypassin pass:client-caPK <-- does not work
  -CAcreateserial
  -out client.crt
  -days 365

请参阅突出显示的参数.我期望这样的东西，但是我无法在文档中的任何地方找到它.

See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.

仅作记录. -signkey参数用于自签名证书. CA无法访问客户端的私钥，因此将不会使用它.相反，-passin参数引用CA的私钥.

Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.

openssl x509
  -req
  -in client.csr
  -CA client-ca.crt
  -CAkey client-ca.key 
  -passin pass:CAPKPassword
  -CAcreateserial
  -out client.crt
  -days 365

推荐答案

使用-passin pass，如下所示.

 openssl x509
      -req
      -in client.csr
      -signkey client.key
      -passin pass:clientPK
      -CA client-ca.crt
      -CAkey client-ca.key 
      -passin pass:secret <-- try this
      -CAcreateserial
      -out client.crt
      -days 365

这篇关于如何为使用OpenSSL创建客户端证书指定CA私钥密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！