openssl on Windows does not recoginize my -extfile - windows

When using OpenSSL 1.0.2l, I have the following command line:
openssl ca -out certs\cert.pem -days 1825 -config openssl.cnf -infiles requests\req.pem -extfile "v3.ext"
I have the v3.ext file in the current directory:
>dir v3.ext
Volume in drive C is OS
Volume Serial Number is 1E1A-0C21
Directory of C:\Users\[me]\.openssl
06/12/2017 10:58 AM 205 v3.ext
1 File(s) 205 bytes
0 Dir(s) 116,381,810,688 bytes free
When I run it, I get this error message:
-extfile: No such file or directory
8932:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:406:fopen('-extfile','rb')
8932:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:408:
This is a Windows 10 box. Is anything wrong with my Extfile option?
Thanks

The "-extfile" option should be earlier in the list of options. From the ca man page (https://www.openssl.org/docs/man3.0/man1/openssl-ca.html):
-infiles
if present this should be the last option, all subsequent arguments are
assumed to the the names of files containing certificate requests.
So your "-extfile" argument is being taken as a request file.

Related

OpenSSL on Windows is not loading from CA Store

I have a leaf cert, intermediate cert, and a root cert.
client.crt contains all three, by way of cat leaf.crt intermediate.crt root.crt > client.crt
$ # Fails
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ # Passes, as expected, since it has the whole chain
$ openssl.exe verify -CAfile client.crt client.crt
client.crt: OK
$ # Add intermediate and root to stores
$ certutil.exe -addstore -f "ROOT" .\root.crt
CertUtil: -addstore command completed successfully.
$ certutil.exe -addstore -f "CA" .\intermediate.crt
CertUtil: -addstore command completed successfully.
$ # Both client.crt and leaf.crt fail to verify
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ openssl.exe verify leaf.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error leaf.crt: verification failed
It appears as if openssl.exe is not picking up the certs I install. I've also gone through and installed these through the Windows certificate manager to no avail.
How do I get openssl to pick up this CA chain?

Unable to load Private Key

I am new to SSL/OpenSSL and I'm working on Windows 7. I'm trying to configure HTTPS for my ElasticBeanstalk environment following these instructions.
I'm at Step 2 in "Create a Private Key". After I issue the command to generate the key pair:
openssl genrsa 2048 > privatekey.pem
I get:
Generating RSA private key, 2048 bit long modulus
........................................+++
...............................+++
unable to write 'random state'
e is 65537 (0x10001)
However, it does write a key to my directory. But after the second command:
openssl req -new -key privatekey.pem -out csr.pem
I get:
unable to load Private Key
6312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
I've tried Googling this a bit, but none of the solutions I've found seem to be relevant for me. I checked the generated key and it looks like
-----BEGIN RSA PRIVATE KEY-----
{lots of characters}
-----END RSA PRIVATE KEY-----
What am I doing incorrectly?
unable to load Private Key
6312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
I ran your commands on OS X, and I could not reproduce the results.
I did use the -config option because I have an "OpenSSL server config template" that makes it easy to generate CSRs and self signed certificates:
$ mkdir test
$ cd test
$ openssl req -new -key privatekey.pem -out csr.pem -config example-com.conf
The configuration file is named example-com.conf, and you can find it at How do I edit a self signed certificate created using openssl xampp?. Edit it to suit your taste (in particular, the DNS names).
If interested, here's the OpenSSL man pages on the req sub-command.
I checked the generated key and it looks like
-----BEGIN RSA PRIVATE KEY----- {lots of characters}
-----END RSA PRIVATE KEY-----
You can validate the key you just created with:
$ openssl rsa -in privatekey.pem -inform PEM -text -noout
Private-Key: (2048 bit)
modulus:
00:b0:91:ce:57:28:0f:5c:3a:c3:29:d7:23:6a:71:
ca:64:49:fc:24:ea:69:a3:09:d6:49:94:17:b9:09:
65:fa:5a:10:47:a4:9b:b8:cd:6d:32:74:19:8d:5c:
79:92:f0:a6:43:9c:75:a3:7b:ef:c4:c3:d9:c2:db:
b9:bd:ec:14:a8:b1:52:73:8f:56:c8:5c:16:08:56:
ff:c2:2b:35:3c:0a:0f:34:d0:91:c1:54:7e:72:e8:
97:bf:ea:46:69:5f:e4:21:8d:7a:f5:a5:6b:6a:e8:
00:56:bc:02:f6:b4:ae:6e:89:a6:50:aa:5b:2f:d8:
7d:99:04:61:51:76:b3:5e:9e:30:52:99:54:26:e2:
3a:54:ec:78:34:e6:9a:b7:c2:58:5c:51:3d:39:52:
d4:6e:0c:6e:a1:a0:a5:f1:4d:5a:f5:0b:1a:6e:dc:
f3:bb:0d:d0:53:51:b0:1a:04:ee:86:35:d5:f3:8b:
0d:bc:19:61:6c:0c:b2:7b:a9:7c:47:97:01:bb:a2:
6a:74:d9:19:e9:df:60:07:d4:95:4c:83:f8:3b:84:
c2:b8:3d:b9:a7:34:0a:9b:a3:c6:70:cc:ef:de:f4:
64:88:f1:56:d3:2a:fd:5a:82:88:96:66:93:6c:a0:
b8:ec:e4:4c:e8:76:5c:9c:fc:c4:60:72:b6:9a:3f:
98:a3
publicExponent: 65537 (0x10001)
privateExponent:
00:87:ab:f1:65:ac:e5:68:93:ca:64:3a:e7:fe:a1:
62:c7:7e:c5:dc:c3:b5:d9:cd:f4:36:e3:30:fb:40:
0a:78:bc:7d:67:df:46:bc:50:34:88:a1:07:05:44:
ba:31:ba:f1:b6:5f:e1:50:76:29:bd:02:54:2f:d2:
cf:bc:ec:4a:cf:78:39:07:8c:6b:3d:56:ec:a3:09:
de:49:9f:13:af:87:77:39:b8:cd:56:45:0b:48:56:
0a:4c:2f:c2:5c:b3:8e:c2:6d:48:be:b9:95:79:36:
bd:13:e8:31:4a:c9:78:82:7d:08:2b:51:4a:f1:cf:
a2:6a:52:20:49:0d:31:34:10:88:02:d7:a7:07:70:
32:b5:f5:8c:cc:d4:b2:8d:b9:aa:bb:33:82:1a:74:
bd:4d:4f:e9:e0:cc:f2:27:fb:98:34:2c:77:56:6f:
88:3a:66:32:5d:7d:57:c6:5b:63:39:fa:32:04:9d:
e3:cc:a5:b6:44:91:fd:7d:d1:b6:2d:16:47:59:81:
3d:cf:d9:a7:58:2a:d6:61:5d:c6:69:3b:7a:70:50:
4f:80:f4:d9:fb:c8:7d:5e:44:9e:ac:c8:e6:aa:49:
c3:d6:df:6b:03:68:25:a3:2b:89:8f:9a:35:3a:58:
7d:71:b4:08:d9:04:7b:b9:96:17:f3:a5:19:c5:07:
4e:c1
prime1:
00:d7:d0:d8:8c:b5:86:ed:0e:06:70:c9:54:00:25:
d7:8c:e4:65:51:1b:c5:ba:33:c2:02:1a:dc:80:a6:
ae:8e:1e:e8:c0:b7:04:11:5a:e3:98:52:8f:4a:7a:
43:b8:e8:1b:c8:d6:d3:b2:dc:70:59:a5:ca:83:bb:
35:f1:6c:f5:cb:d0:f4:04:5e:aa:7c:d0:ec:d7:4a:
d5:1c:7c:e2:67:e4:e8:17:95:9b:4e:2b:a0:26:74:
61:d0:a0:15:27:18:e5:84:b5:54:ef:be:82:35:7e:
78:e0:49:6b:4e:ae:93:53:a0:81:a3:8e:de:d3:e5:
dc:c5:ba:03:36:14:47:97:03
prime2:
00:d1:72:3b:f5:34:b1:11:78:b2:79:f4:3e:d7:be:
bf:cc:b3:09:ea:24:a4:cc:7f:64:73:96:d2:48:9e:
55:bc:79:23:c2:d9:80:81:7d:a4:a5:4b:43:33:8e:
62:04:ec:8d:22:d7:43:5e:41:b6:4d:e9:b0:cc:70:
63:17:70:93:88:81:f5:84:a6:3f:2b:98:33:a3:69:
53:11:c7:95:8c:30:ea:e8:58:c7:77:10:b4:a8:f5:
bf:5e:cf:e1:99:bb:b3:4e:57:d2:4c:f7:73:de:8a:
98:8e:7c:26:37:6c:e4:77:c6:d2:ed:5d:53:a7:15:
c3:9c:67:61:d3:24:9a:f5:e1
exponent1:
00:83:34:59:e2:b9:9d:8c:d2:e1:01:82:b4:89:de:
77:bc:15:42:af:5b:c6:0a:dc:da:8e:f3:0b:a9:3f:
2c:92:04:a2:96:3e:ed:bf:2b:55:80:ce:78:84:db:
ed:fe:25:46:77:04:7b:f1:9a:68:c7:67:ae:c6:05:
73:d7:11:da:21:0e:28:bb:db:5d:a4:c2:53:aa:d3:
b8:da:37:e6:61:29:5e:1c:b0:7c:99:ba:96:03:aa:
ef:a8:a9:1a:13:09:e4:c7:98:82:49:ba:b5:68:96:
3a:20:89:22:2e:d4:9d:86:d2:e6:dd:ab:c7:36:65:
e1:a1:67:e3:f9:e5:bc:5c:47
exponent2:
00:81:6d:b9:55:8f:09:39:05:c0:2d:12:dd:5e:cf:
56:91:35:b6:93:c5:af:3d:5c:20:04:3a:18:9a:9d:
95:d7:d1:78:62:e9:ab:ba:d9:9c:cc:34:95:43:9f:
e2:3c:ae:bd:8c:e1:3f:95:58:c0:42:a7:7e:04:e8:
12:a4:22:82:59:22:0e:49:b9:be:61:bf:3d:71:e7:
1d:59:68:5f:a6:f1:77:c8:bb:4c:0f:ec:f7:e7:4d:
6d:c4:36:6c:70:67:08:a8:0a:27:40:3e:ce:90:a0:
4f:24:05:de:4b:f3:f3:bf:7c:d3:4d:b1:95:87:34:
30:dc:4f:1a:a9:b2:fe:3b:a1
coefficient:
6d:51:b3:6e:87:8d:aa:f0:55:c4:22:21:62:a9:ea:
24:b3:b7:91:40:f5:78:5d:f1:40:45:7e:0d:a2:a3:
54:46:ba:42:33:b6:cd:57:a1:85:bc:3d:ba:1c:eb:
87:33:a9:e9:63:1e:7c:2c:89:98:b9:0f:4b:e8:c4:
79:bd:00:6a:f5:3e:ea:63:f1:9e:aa:47:35:5a:22:
fc:4e:e3:61:7e:eb:dc:a6:c0:2c:d5:fd:22:9f:01:
59:32:15:db:41:99:b7:a8:c1:eb:1e:42:c7:1b:c7:
c8:56:86:a8:34:fe:1c:48:b6:6e:f1:c1:5c:96:bf:
9d:fa:e5:4c:d0:2a:d9:09
unable to write 'random state'
This is a well known problem. OpenSSL uses a default configuration file. You can locate the configuration file with correct location of openssl.cnf file.
The default configuration file includes these lines:
$ cat /usr/local/ssl/macosx-x64/openssl.cnf
...
HOME = .
RANDFILE = $ENV::HOME/.rnd
...
To save the random file, you should point HOME and RANDFILE to a valid location. On Windows, you type set HOME=... and set RANDFILE=... in the command prompt. Or better, change it in the OpenSSL configuration file you use.
Also see How to fix “unable to write 'random state' ” in openssl and How do I make OpenSSL write the RANDFILE on Windows Vista?.
I'm trying to configure HTTPS for my ElasticBeanstalk environment following these instructions.
The instructions are wrong in the image below. Do not place a DNS name in the Common Name (CN).
Placing a DNS name in the Common Name is deprecated by both the IETF (the folks who publish RFCs) and the CA/B Forums (the cartel where browsers and CAs collude). You should pay articular attention to what the CA/B recommends because Browsers and CAs come up with those rules, and the browsers follow them (and they don't follow the RFCs). For reference, see RFC 5280, RFC 6125 and the CA/B Baseline Requirements.
Instead, place DNS names in the Subject Alternate Name (SAN). Both the IETF and CA/B specifies it.
The custom OpenSSL configuration file handles this for you. You just have to change the DNS names listed under the section [ alternate_names ]. For example, here's a set of names set up for the domain example.com. Notice there is no DNS name in the CN:
[ subject ]
...
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
Can you check if you have appropriate permissions when you run both the commands? Maybe try doing the same using a user with Admin Rights.
Also make sure the created file privatekey.pem has appropriate permissions before executing the command below (Use chmod if necessary)
openssl req -new -key privatekey.pem -out csr.pem
Submitting this as answer as I don't have enough reputation to comment.
I believe the root of the problem is the error
unable to write 'random state'
e is 65537 (0x10001)
Searching StackOverflow found these results. I would stress that you run the openssl program as sudo or directly as root to avoid any possible permissions issues.
The fix in Windows:
https://stackoverflow.com/a/12522479/3765769
In Linux:
https://stackoverflow.com/a/94458/3765769

Unable to load config info from /usr/local/ssl/openssl.cnf on Windows

While using OpenSSL on Windows:
openssl genrsa -out privatekey.pem 1024 -->
Created successfully
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365
---->
Showing error message as
unable to load config info from /usr/local/ssl/openssl.cnf
After installing OpenSSL I was required to create a new environment variable:
Name: OPENSSL_CONF
Value: C:\Program Files\OpenSSL\openssl.cnf
In powershell:
$env:OPENSSL_CONF = "${env:ProgramFiles}\OpenSSL\openssl.cnf"
This value differs from previous installation versions (as seen in a previous edit of this post). Also, don't forget to add the openssl binary folder ${env:ProgramFiles}\OpenSSL to your Path.
You should specify the absolute path to the config, something like this:
openssl req -x509 -config "C:\OpenSSL-Win64\bin\openssl.cnf" ...
In Windows 10, no need to restart nor run in Administrator's mode but instead set openssl config like so:
set OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf
Of course, if you are using GnuWin32
The only thing that worked for me in this situation was the self-created openssl.cnf file.
Here are the basics needed for this exercise (edit as needed):
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
I hope that helps.
In windows , [Similar scenario]
I was facing the same problem But It was during requesting for Certificate Signing Request.
I did the below , It Worked for me.
Once OpenSSL installed, Ran command prompt as administrator after the system reboot.[for the best I did both.. run as admin and system reboot]
did,
1.[Error Case]
C:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr
WARNING: can't open config file: C:\OpenSSL-Win64\bin\openssl.cnf
AND
Unable to load config info from C:\OpenSSL-Win64\bin\openssl.cnf
2.[Worked with Warning]
C:\OpenSSL-Win64\bin> openssl req -new -key server.key -out server.csr -config C:\OpenSSL-Win64\bin\openssl.cfg
[Warning message]: WARNING: can't open config file: C:\OpenSSL-Win64\bin\openssl.cnf
But prompted me for the Pass Phrase for server.key
It worked for me.
I referred,This link for my assistance.
Thank you.
For me on Windows 8, I simply found openssl.cnf file and copied it on the C drive. then:
openssl req -new -key server.key -out server.csr -config C:\openssl.cnf
Worked perfectly.
After installing OpenSSL, you need to restart your computer and use Run As Administrator. Then its works.
With the GnuWin32 tools I found the openssl.cnf under C:\gnuwin32\share
set OPENSSL_CONF=C:\gnuwin32\share\openssl.cnf
In my case, I need to set the path of openssl.cnf file manually on the command using config option. So the command
openssl req -x509 -config "C:\Users\sk\Downloads\openssl-0.9.8k_X64\openssl.cnf" -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 900
In Windows 7 I didn't have to restart, simply run command prompt in administrator mode.
If you're using Win32 OpenSSL v1.1.0g, setting up this environment variable:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\cnf\openssl.cnf
Before running this command with "server.key", successfully creating "server.csr":
openssl req -new -key server.key -out server.csr
On the basic question of why openssl is not found:
Short answer:Some installation packages for openssl have a default openssl.cnf pre-included. Other packages do not.
In the latter case you will include one from the link shown below;
You can enter additional user-specifics --DN name,etc-- as needed.
From https://www.openssl.org/docs/manmaster/man5/config.html,I quote directly:
"OPENSSL LIBRARY CONFIGURATION
Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The openssl utility includes this functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file.
To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is openssl_conf which is used by the openssl utility. Other applications may use an alternative name such as myapplication_conf. All library configuration lines appear in the default section at the start of the configuration file.
The configuration section should consist of a set of name value pairs which contain specific module configuration information. The name represents the name of the configuration module. The meaning of the value is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g.:"
So it appears one must self configure openssl.cnf according to your
Distinguished Name (DN), along with other entries specific to your use.
Here is the template file from which you can generate openssl.cnf
with your specific entries.
One Application actually has a demo installation that includes a demo .cnf file.
Additionally, if you need to programmatically access .cnf files, you can
include appropriate headers --openssl/conf.h-- and parse your .cnf files
using
CONF_modules_load_file(const char *filename, const char *appname,
unsigned long flags);
Here are docs for "CONF_modules_load_file";
On Windows Powershell:
$env:OPENSSL_CONF = "${env:ProgramFiles}\OpenSSL-Win64\bin\openssl.cfg"
For me put variable before calling did the trick:
OPENSSL_CONF=/usr/ssl/openssl.cnf openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365
I had similar problem on Windows 7:
WARNING: can't open config file: C:\OpenSSL-Win32\bin\openssl.cfg
Unable to load config info from C:\OpenSSL-Win32\bin\openssl.cfg
The reason was removed OpenSSL-Win32 directory without using deinstallator, so not all components was properly removed from system.
I had to remove environment variable OPENSSL_CONF manually.
Some openssl binaries, e.g. installed with git, does not need OPENSSL_CONF environment variable, but if this environment variable exists it must lead to valid file.

How to specify passphrases for P12 to PEM file conversion without interaction.

I'm trying to convert a P12 file to a PEM file. When I execute the command, the terminal asks me for three things:
P12 passphrase (I type it in, hit enter)
PEM passphrase (type it in, hit enter)
PEM passphrase confirm (type it in, hit enter)
I know I can execute a sudo command all in one shot by using the following:
echo sudopassword | sudo rm -rf /file.p12;
How can I add all three values in one shot? Thanks
Can you explain what these P12 files are? I found this link which deals with the conversion of pkcs12 Cert/key files to .PEM format using openssl. (http://gridsite.org)
Key to the answer is:
Use -passin file:... and -passout file:... for unattended processing
It's my guess that you will have to specify the -passin file:P12passphrase and -passout file PEMpassphrase options for this case.
This little test confirms how an input passphrase can be specified through a file:<...> parameter. This helps to hide such phrases from any over the shoulder attacks. Don't forget to restrict access to such files. Even though it's a common feature of most openssl commands, it's not explicitly mentioned and it is key to the original question. The full list of options is below.
$ openssl pkcs12 -passin file:P12phrase
Can't open file P12phrase
Error getting passwords
(I leave it to the OP to construct the full command.)
Below are all supported options for the pkcs12 subcommand:
$ openssl pkcs12 help
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-maciter use MAC iteration
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
It's unlikely that these commands are reading from stdin. It's more likely that they're reading directly from the terminal. This allows them to set a mode that doesn't echo the password to the screen. Try echoing your input to /dev/tty.
Beyond that, you'll need to use something like expect / pexect to control these. Those projects were build specifically for this purpose.
Openssl has a -stdin optoin to read its input from stdin. This works:
tmp=`mktemp`
cat > $tmp <<EOF
$1
EOF
cat $tmp | openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
I've used cat and a here-document to avoid putting the password on the commandline.
I used openssl pkcs12 -in Certificates.p12 -out sampleCore.pem -nodes and it was working for me.
Have you tried just echoing three lines? It would probably work
echo $'P12 passphrase\nPEM passphrase\nPEM passphrase confirm' | cmd
Although I feel I must point out that echoing passwords like this is highly insecure. Not only does the password end up in your bash history file, but it's also visible to anyone else on the system who runs ps.

OpenSSL and error in reading openssl.conf file

I am running windows xp 32bit
I just downloaded Openssl from the following URL and installed it.
http://www.slproweb.com/products/Win32OpenSSL.html
and then I tried to create a self signed certificate by using the following command
openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem
then it started giving the following error
Unable to load config info from /usr/local/ssl/openssl.cnf
After some googling, I changed the above command to
openssl req -config C:\OpenSSL\bin\openssl.conf -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem
But now I get the following error in the command prompt
error on line -1 of C:\OpenSSL\bin\openssl.conf
4220:error:02001002:system library:fopen:No such file or
directory:.\crypto\bio\bss_file.c:126:fopen('C:\OpenSSL\bin\openssl.conf','rb')
4220:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:129:
4220:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197:
On Windows you can also set the environment property OPENSSL_CONF. For example from the commandline you can type:
set OPENSSL_CONF=c:/libs/openssl-0.9.8k/openssl.cnf
to validate it you can type:
echo %OPENSSL_CONF%
You can also set it as part of the computer's environmental variables so all users and services have it available by default. See, for example, Environment variables in Windows NT and How To Manage Environment Variables in Windows XP.
Now you can run openssl commands without having to pass the config location parameter.
Just add to your command line the parameter -config c:\your_openssl_path\openssl.cfg, changing your_openssl_path to the real installed path.
Just create an openssl.cnf file yourself like this in step 4: http://www.flatmtn.com/article/setting-openssl-create-certificates
Edit after link stopped working
The content of the openssl.cnf file was the following:
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
set OPENSSL_CONF=c:/{path to openSSL}/bin/openssl.cfg
take care of the right extension (openssl.cfg not cnf)!
I have installed OpenSSL from here: http://slproweb.com/products/Win32OpenSSL.html
If you have installed Apache with OpenSSL navigate to bin directory. In my case D:\apache\bin.
*These commands also work if you have stand alone installation of openssl.
Run these commands:
openssl req -config d:\apache\conf\openssl.cnf -new -out d:\apache\conf\server.csr -keyout d:\apache\conf\server.pem
openssl rsa -in d:\apache\conf\server.pem -out d:\apache\conf\server.key
openssl x509 -in d:\apache\conf\server.csr -out d:\apache\conf\server.crt -req -signkey d:\apache\conf\server.key -days 365
*This will create self-signed certificate that you can use for development purposes
Again if you have Apache installed in the httpd.conf stick these:
<IfModule ssl_module>
SSLEngine on
SSLCertificateFile "D:/apache/conf/server.crt"
SSLCertificateKeyFile "D:/apache/conf/server.key"
</IfModule>
I just had a similar error using the openssl.exe from the Apache for windows bin folder. I had the -config flag specified by had a typo in the path of the openssl.cnf file. I think you'll find that
openssl req -config C:\OpenSSL\bin\openssl.conf -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem
should be
openssl req -config "C:\OpenSSL\bin\openssl.cnf" -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem
Note: the conf should probably be cnf.
Just try to run openssl.exe as administrator.
If you installed OpenSSL on Windows together with Git, then add this to your command:
-config "C:\Program Files\Git\usr\ssl\openssl.cnf"
I had the same issue on Windows. It was resolved by setting the environment variable as follow:
Variable name: OPENSSL_CONF
Variable value: C:(OpenSSl Directory)\bin\openssl.cnf
If openssl installation was successfull, search for "OPENSSL" in c drive to locate the config file and set the path.
set OPENSSL_CONF=<location where cnf is available>/openssl.cnf
It worked out for me.
The problem here is that there ISN'T an openssl.cnf file given with the GnuWin32 openssl stuff. You have to create it. You can find out HOW to create an openssl.cnf file by going here:
http://www.flatmtn.com/article/setting-ssl-certificates-apache
Where it lays it all out for you on how to do it.
PLEASE NOTE: The openssl command given with the backslash at the end is for UNIX. For Windows : 1)Remove the backslash, and 2)Move the second line up so it is at the end of the first line. (So you get just one command.)
ALSO: It is VERY important to read through the comments. There are some changes you might want to make based upon them.
This workaround helped us so much at my job (Tech Support), we made a simple batch file we could run from anywhere (We didnt have the permissions to install it). This workaround will set the variable and then run OpenSSL for you. It also opens up the bin folder for you (cause this is where any files you create or modify will be saved). Also, this is only for Windows.
How to Set Up:
Download the OpenSSL binaries here. (Note that this is confirmed to work with version 0.9.8h.)
Copy this code to a file named StartOpenSSL.bat. Save this to a location of your choice. It can be run from anywhere.
#echo off
title OpenSSL
cd\openssl\bin
if exist "C:\openssl\share\openssl.cnf" (
set OPENSSL_CONF=c:/openssl/share/openssl.cnf
start explorer.exe c:\openssl\bin
echo Welcome to OpenSSL
openssl
) else (
echo Error: openssl.cnf was not found
echo File openssl.cnf needs to be present in c:\openssl\share
pause
)
exit
Once you have downloaded the OpenSSL binaries, extract them to your C drive in a folder titled OpenSSL. (The path needs to be C:\OpenSSL). Do not move any of the folders contents around, just extract them to the folder.
You are ready to use OpenSSL. This is a great workaround for Windows users who dont have the privileges to install it as it requires no permissions. Just run the bat file from earlier by double clicking it.
https://github.com/xgqfrms-gildata/App001/issues/3
first, make sure you have an openssl.cnf file in the right path;
if you can't find it, just download one and copy it to your setting path.
$ echo %OPENSSL_CONF%
$ set OPENSSL_CONF=C:\OpenSSL\bin\openssl.cnf
If you are seeing an error something like
error on line -1 c:apacheconfopenssl.cnf
try changing from back slash to front slash in the -config.
Run the command as administrator and copy the config file to somewhere where you have read rights and specify the path with the -config parameter.
I know this question is old but here is how I solved it.
I copied the openssl.cnf file from the bin directory to the parent directory which is C:/Openssl/openssl.cnf instead of C:/Openssl/bin/openssl.cnf and worked fine.
I know this is old -- but thought others that happen on this (and use Visual Studio) might benefit. I read this on another post that I can't seem to find.
Open your config in notepad++ and make sure it's Encoding is UTF-8 (i.e., not UTF-8-BOM*).
This would have save me a lot of searching/trial'n'errors...
I was also facing same issue. Below are the steps to resolve it.
check your openssl version
openssl version
If your version is below
OpenSSL 1.1.1h 22 Sep 2020
go to below link and download latest full version of openssl.
openssl windows installer
After installation add openssl path at the top of 'PATH' variable in system path.
confirm your version is latest by opening new command prompt and running command in step 1
Now you're ready to run the command again and this time it will work.

Resources