I try to generate with OpenSSL a peer of key.
userner#userner-VirtualBox:/certs$ openssl genrsa 2048 >frugalCA.key
However, the output can not be generated in this file frugalCA.key and I got this error:
bash: frugalCA.key: Permission denied
I would be very grateful if you could help me pleaz?
Use the -out flag:
openssl genrsa -out frugalCA.key 2048
But from the output shown, you probably don't have the write permission in that folder.
It works for me with this command line:
openssl genrsa 2048 | sudo tee frugalCA.key
You need to be specific on where you want your output, as the default location may be restricted.
C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out C:\Users\user123\Downloads\MyOrganization_auth.key 2048
Related
My requirement is to create RSA private key file from certificate file (.crt extention file). Openssl installed in my system and I also set the environment variable in "PATH". Unfortunately, while I am executing the command in CMD it's not working... The response getting in the CMD is
The command I am executing in CMD
openssl pkcs12 -in myfile.crt -nocerts -out keyFile.key
The response is
pkcs12: Use -help for summary.
I am not familiar with Openssl, Not found a correct solution yet. If any help, it will be appreciated.
Thanks in advance.
I have a problème when I try to generate a Ssh Key as requested in the instructions of this Symfony Bundle :
LexikJWTAuthenticationBundle
When I use this command :
openssl genrsa -out config/jwt/private.pem -aes256 4096
The process doesn't finish, here is what I have : openssl genrsa with AES
But it works perfectly without the use of AES (either: -aes256 or 128 or other ..)
Do you know why ?
(Then, do you think I can continue without using AES ?)
Thank you.
I had the same problem, when I was using openssl from my Git Bash (command line installed with git on Windows, and openssl is coming by default with it). Later on, I installed OpenSSL on windows itself, you can can download it from here, add it in path variables in your pc, then you would be able to use it from your CMD anywhere and it works the same way as it's described in JWT docs.
Hope it could help you and someone else.
You are probably using OpenSSL on Windows in a Linux like subsystem like MinGW.
There seems to be an issue in displaying the passphrase prompt in this setup. You can bypass the prompt by specifying the password using the -passout option of OpenSSL:
openssl genrsa -out config/jwt/private.pem -aes256 -passout pass:PASSWORD 4096
You can however not generate a key with one of the encryption switches like -aes256 and not specify a password. Or you will get errors like this as a passphrase is obviously needed for the encryption:
$ openssl genrsa -aes256 -out ca-key.pem -passout pass: 4096
Generating RSA private key, 4096 bit long modulus
........++++
..................................................................................++++
e is 65537 (0x10001)
5588:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:373:
I am writing a shell script which executes a command which requires a password. I cannot put password in plain text in the script. I read about openssl encrypt decrypt mechanism but for encrypting a file again I need a password which again I cannot put in the script. I am clueless what is the best way to have a script execute a command using a secure password.
After reading about Using OpenSSL to encrypt messages and files on Linux, the following approach might work for you.
Assuming you have private and public key generated for your machine
openssl genrsa -out passwordPrivKey.pem 2048
openssl rsa -in passwordPrivKey.pem -out passwordPubKey.pem -outform PEM -pubout
OpenSSL could be used than to encrypt and decrypt a password. Providing a script stub which will demonstrate how to use the command.
#!/bin/bash
echo -n "password" > PASSWORD.plain
# To encrypt
openssl rsautl -encrypt -inkey ./passwordPrivKey.pem -pubin -in PASSWORD.plain -out PASSWORD.dat
# To decrypt
DECRYPTED=$(openssl rsautl -decrypt -inkey ./passwordPubKey.pem -in PASSWORD.dat)
echo $DECRYPTED
On the machine where the password is needed unencrypted later, only PASSWORD.dat and passwordPubKey.pem would be stored.
You may also interested in Hiding Password in Shell Scripts, Password encryption and decryption or How does OpenSSL decrypt a password.
Try openssl. It is a command available on UNIX and it can hash your password for you.
https://www.openssl.org/docs/man1.0.2/apps/openssl.html
It depends on where you execute that script from. If it's a continuous integration tool, there should be way to define a system variable, visible in your script.
After running this:
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
I get prompted with the option descriptions.
After running this
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
I get prompted with "Enter Import Password:". What is this import password? I tried the one I set from the firefox backup and it responded with "Mac verify error: invalid password?". I'm sure that the password is correct because I tested it by importing it again into firefox.
I got the commands from the answer to this question!
I experienced the same thing too. Try to put the password in the command line like this. It works for me:
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes -password pass:<mypassword>
Instead of going to Extension Builder > Build Package…, I'd like to built a .safariextz package from the MyExtension.safariextension folder.
I know I can unpack an extension with xar -xf. I suspect the way back involves packing it with xar, but then I'll need to do the code signing thing, which may or may not involve codesign(1).
Here are Omar Ismail's instructions, omitting the need for separate shell scripts. This will all occur in a directory safari/, where we will be signing the directory safari/appname.safariextension/ to become the extension safari/appname.safariextz. The first thing is to sign the extension the official way, with Extension Builder's Build Package.
Set up Xar:
1. Download and unzip/untar
https://github.com/downloads/mackyle/xar/xar-1.6.1.tar.gz
to wherever you want the executable xar-1.6.1 (xar 1.6dev doesn't support the options we need)
2. in xar-1.6.1/
./configure
make
sudo make install
sudo ln -s /full/path/to/xar-1.6.1/src/xar /usr/local/bin/xar161
Set up your certificates:
1. in safari/
mkdir certs/
xar161 -f appname.safariextz --extract-certs certs/
2. open Keychain Access and export your Safari Developer certificate to safari/certs/certs.p12 (use a blank password for certs.p12, and then use your Mac's password to export the cert)
3. in safari/certs/
openssl pkcs12 -in certs.p12 -nodes | openssl x509 -outform der -out cert.der
(same blank password)
openssl pkcs12 -in certs.p12 -nodes | openssl rsa -out key.pem
(same blank password)
openssl dgst -sign key.pem -binary < key.pem | wc -c > size.txt
It's possible that you can get the certificates from certs/cert.p12, and not need the --extract-certs step (and hence not need the extension built the official way), but I don't know openssl well enough, and it's only for the set up that you need that step anyway.
Once everything is set up, to sign the extension:
In safari/
xar161 -czf appname.safariextz --distribution appname.safariextension/
xar161 --sign -f appname.safariextz --digestinfo-to-sign digest.dat --sig-size `cat certs/size.txt` --cert-loc certs/cert.der --cert-loc certs/cert01 --cert-loc certs/cert02
openssl rsautl -sign -inkey certs/key.pem -in digest.dat -out sig.dat
xar161 --inject-sig sig.dat -f appname.safariextz
rm -f sig.dat digest.dat
This was all on a 2006 Snow Leopard MacBook, so it's possible things may be different on a machine that's more up to date.
Looks like there is a way to patch XAR with a signature option. http://code.google.com/p/xar/issues/detail?id=76#c0