如何为使用OpenSSL创建客户端证书指定CA私钥密码 [英] How to specify CA private key password for client certificate creation using OpenSSL
问题描述
我正在构建一个命令行脚本,以使用OpenSSL的迷你CA"功能创建客户端证书.
I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
我有一个 CA证书和使用密码加密的CA私钥.有了这些东西,我试图创建客户端证书并且偶然发现了命令行语法. 如何为CA的私钥指定密码?
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
到目前为止,我有...
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
请参阅突出显示的参数.我期望这样的东西,但是我无法在文档中的任何地方找到它.
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
仅作记录. -signkey
参数用于自签名证书. CA无法访问客户端的私钥,因此将不会使用它.相反,-passin
参数引用CA的私钥.
Just for the records. The -signkey
parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin
parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365
推荐答案
使用-passin pass
,如下所示.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365
这篇关于如何为使用OpenSSL创建客户端证书指定CA私钥密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!