My requirement is to create RSA private key file from certificate file (.crt extention file). Openssl installed in my system and I also set the environment variable in "PATH". Unfortunately, while I am executing the command in CMD it's not working... The response getting in the CMD is
The command I am executing in CMD
openssl pkcs12 -in myfile.crt -nocerts -out keyFile.key
The response is
pkcs12: Use -help for summary.
I am not familiar with Openssl, Not found a correct solution yet. If any help, it will be appreciated.
Thanks in advance.
Related
I am using windows openssl version 3.0.1 14. The issue is when the file name has non-English character, it failed to encrypt the file with below error:
C:\Users\XXX\Desktop>openssl aes-256-cbc -e -salt -in "C:\Users\XXX\Desktop\test\试试.txt" -out "C:\Users\XXX\Desktop\test\ENCRYPTING.txt" -k 12230000000000000000000000000000 -iv F1230000000000000000000000000000
Can't open "C:\Users\XXX\Desktop\test\??.txt" for reading, Invalid argument
B8280000:error:8000007B:system library:BIO_new_file:Unknown error:crypto\bio\bss_file.c:67:calling fopen(C:\Users\lishi\Desktop\test\??.txt, rb)
B8280000:error:10080002:BIO routines:BIO_new_file:system lib:crypto\bio\bss_file.c:77:
The terminal I use is Windows command prompt, I verified that this Chinese file can be opened successfully in cmd using issuing:
C:\Users\XXX\Desktop>notepad C:\Users\XXX\Desktop\test\试试.txt
Any configuration things I need to do in openssl side to support utf8?
I am writing a shell script which executes a command which requires a password. I cannot put password in plain text in the script. I read about openssl encrypt decrypt mechanism but for encrypting a file again I need a password which again I cannot put in the script. I am clueless what is the best way to have a script execute a command using a secure password.
After reading about Using OpenSSL to encrypt messages and files on Linux, the following approach might work for you.
Assuming you have private and public key generated for your machine
openssl genrsa -out passwordPrivKey.pem 2048
openssl rsa -in passwordPrivKey.pem -out passwordPubKey.pem -outform PEM -pubout
OpenSSL could be used than to encrypt and decrypt a password. Providing a script stub which will demonstrate how to use the command.
#!/bin/bash
echo -n "password" > PASSWORD.plain
# To encrypt
openssl rsautl -encrypt -inkey ./passwordPrivKey.pem -pubin -in PASSWORD.plain -out PASSWORD.dat
# To decrypt
DECRYPTED=$(openssl rsautl -decrypt -inkey ./passwordPubKey.pem -in PASSWORD.dat)
echo $DECRYPTED
On the machine where the password is needed unencrypted later, only PASSWORD.dat and passwordPubKey.pem would be stored.
You may also interested in Hiding Password in Shell Scripts, Password encryption and decryption or How does OpenSSL decrypt a password.
Try openssl. It is a command available on UNIX and it can hash your password for you.
https://www.openssl.org/docs/man1.0.2/apps/openssl.html
It depends on where you execute that script from. If it's a continuous integration tool, there should be way to define a system variable, visible in your script.
I'm trying to convert a bash script for Linux to run in Windows batch as well. Amongst several commands, there is also an OpenSSL command which reads a certificate from an https server and stores it in a variable. The bash command is:
openssl s_client -showcerts -connect $SERVER_IP:443/login </dev/null 2>/dev/null|openssl x509 -outform PEM > mycertfile.pem
I've installed OpenSSL in my Windows machine from here. I prefered the "Win64 OpenSSL v1.1.0e Light" version of OpenSSL.
How is this command transferred to Windows logic? Any ideas?
Learning about big query on google app engine and wanted to try out this library that also required me to know about Converting the service account credential to other formats. I have tried the command
# Convert the key from pkcs12 to pkcs1 (PEM).
$ cat /path/to/xxxx-privatekey.p12 | openssl pkcs12 -nodes -nocerts -passin pass:notasecret | openssl rsa > /path/to/secret.pem
on the command line but I get
'cat' is not recognized as an internal or external command,
operable program or batch file.
How do I resolve this?
Use windows powershell. WIndows 7 afterwards, it comes along with the windows.
Use 'Windows PowerShell' to the 'cat' Command, It'll work.
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
I think you have already resolved but I had the same problem. I answer to share my solution.
If you have a .p12 file your approach is right.
First of all, you have to get the cert and the key separated from the p12 file.
As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Check if you have a newer curl. Newer versions can handle PKCS12 outright.
Tangentially, quote the password, or individually escape all shell metacharacters.
curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
curl could not open PKCS12 file
I just ended up exporting the p12 file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:
--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
If this option is used several times, the last one will be used.
(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.