Working with openssl to extract information from a pkcs12 certificate - bash

I would like some help with the openssl command. I need to automate the retrieval of the subject= line in a pkcs12 certificate for a script I'm working on.
I've used openssl to view the contents of the Identity/Certificate:
openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx
But I am prompted three times for the password. I used -passin to eliminate one of the password prompts, but I am still being prompted for the PEM pass phrase and verification entry.
I need to figure out a way to pass ${password} to the other two password challenges or have the scrip issue a ctl-c. The piece of info I need is outputted to the stdout before the second password prompt.
Any help would be appreciated!
Obviously I gutted the certificate output for this post.... but you should get the idea of what I'm seeing:
bash-3.2# openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx -passin pass:${password}
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: ****
friendlyName: ****
subject=****
issuer=****
-----BEGIN CERTIFICATE-----
::HASH REMOVED::
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: ****
Bag Attributes
localKeyID: ****
friendlyName: ****
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info:
::HASH REMOVED::
-----END RSA PRIVATE KEY-----
bash-3.2#

Try this:
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject
Or this for the common name (ruby to strip trailing whitespace):
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject \
| awk -F'[=/]' '{print $6}'`.strip`

Copying answer here in order to remove this question from the "Unanswered" filter:
openssl pkcs12 -nokeys -in /Users/[User]/Desktop/ID.pfx -passin pass:${password}

You could also use -passin and -passout which would not prompt you again for manual input. Here is a sample code:
openssl pkcs12 -in seldpush_dev.p12 -passin pass:$password -passout pass:$password | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -subject -noout
Basically, use -keyword to fetch that value. In your case, -subject.

This is a few years late; I'm not familiar with openssl, & etc; but since I see no reference to "-nokeys" I'll give what works for me.
echo -e "$password\n$passphrase\n$passphrase\n" \
| openssl pkcs12 -in /Users/[user]/Desktop/ID.pfx -passin stdin -passout stdin
from manpage
stdin read the password from standard input.

Related

How to Pass PKCS12 password into openssl conversion module?

script.sh
certKey=$(openssl rand -hex 70)
openssl pkcs12 -export -out fullchain.p12 --passin pass:$certKey -inkey .../privkey.pem -in .../fullchain.pem
I when calling this script the certKey is not passed in, and system asks me for the pkcs12 password. But I am clearly trying to pass $certKey in.
openssl Documention
"-passin arg
The PKCS#12 file (i.e. input file) password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1)."
What am I missing? Thanks!
Should be -passout
openssl pkcs12 -export -out fullchain.p12 -passout pass:$certKey -inkey .../privkey.pem -in .../fullchain.pem

Playing with public/private keys on the command line

I want to play with public/private keys just for fun.
I want to use shorter strings, just to see the magic in front of my eyes.
Example:
"Text_merry_X-mas" + small_key1 -> "any_small_unreadable_string"
"any_small_unreadable_string" + key2 -> "Text_merry_X-mas"
I do not care if the algorithm is RSA or anything else.
I just want to give this inputs and get outputs on the command line.
I do not want to encrypt files and let RSA calculate that long keys,
because again it is just for fun.
And i would like to be able to define key1, as we do for passwords.
Than let key2 be calculated from key1.
Can you guys give me some tips?
Thx a los!
Broadly:
For Asymmetric encryption you must first generate your private key and extract the public key.
openssl genrsa -aes256 -out private.key 8912
openssl rsa -in private.key -pubout -out public.key
To encrypt:
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
To decrypt:
openssl rsautl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt
This and more nicely summarized here: https://gist.github.com/dreikanter/c7e85598664901afae03fedff308736b

entering password into openssl command from shell script

I am trying to convert a p12 to a pem from a shell script without any user input.
I can have the password as a variable within the script.
so when I call:
openssl pkcs12 -in *.p12 -out cert.pem -nodes
The terminal prints "Enter Import Password:" and waits for input.
I tried to pipe the password in with:
echo $PASS | openssl pkcs12 -in *.p12 -out cert.pem -nodes
as well as trying to use a flag with the openssl command but can't figure out how to do this.
This one liner worked for me-
openssl pkcs12 -in certificate.p12 -password pass:<your_password> -nodes | openssl x509 -noout -enddate

openssl: how to disable "writing RSA key" message in console

Is there any way to disable console message "writing RSA key"?
$ openssl rsa -pubout -outform DER -inform PEM -in /tmp/res/chrome.pem -out 1 > /dev/null
writing RSA key
$ openssl rsa -pubout -outform DER -inform PEM -in /tmp/res/chrome.pem -out 1
writing RSA key
$ openssl rsa -pubout -outform DER -inform PEM -in /tmp/res/chrome.pem > /dev/null
writing RSA key
I tried those commands, with same result :(
Running the command with strace shows that the message is written to STDERR:
write(2, "writing RSA key\n", 16) = 16
^
so you have to redirect STDERR instead of STDOUT:
openssl rsa -pubout ... 2>/dev/null

Read common name from .pem file

is there a way to read the common name from a .pem file in my shell?
Thanks
First off, the .pem extension only refers to the type of encoding used in the file.
The common name would be a feature of the Subject or Issuer of a certificate, and can be recognised by the lines
$ grep CERTIFICATE f.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
and lots of base64 encoded text in between.
If the .pem file contains an x509 certificate,
this should do the trick:
openssl x509 -in cacert.pem -noout -text
This will dump the whole certificate. The openssl x509
command has several options to suppress the fields you don't want to see. You find those explained in the man page, under TEXT OPTIONS
You can also choose to get shown just the 'Subject' of the certificate:
openssl x509 -in cacert.pem -noout -subject
Example:
Let's capture the certificate of stackoverflow.com straight from the server
$ : | openssl s_client -connect stackoverflow.com:443 > f.pem 2>& 1 &&
openssl x509 -in f.pem -noout -subject 2>& 1
Outputs:
Subject: CN = *.stackexchange.com

Resources