Enter PEM pass phrase?


Hi all,

I’d like to ask the question about the exporting a certificate using openssl command. In essence, I have to export the certificate and import it to MS Exchange server and this job should be automated as a regular job such as cron.

So, exporting certificate was actually fine, it had no problems. I ran the following commands to do so.

cd /etc/letsencrypt/live/mydomain
openssl pkcs12 -export -out /tmp/cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

Now, when I typed the following command for verification, the system asked a PEM pass phrase.

openssl pkcs12 -in /tmp/cert.pfx -info
[ Output truncated ]
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: E5 1F EC A9 59 09 82 45 29 90 02 CB C6 43 38 E0 88 1E A5 78
Key Attributes:
Enter PEM pass phrase:

Of course, I don’t know what that means so I just pressed Enter key and the following happened.

Error outputting keys and certificates
140271773574400:error:28069065:UI routines:UI_set_result:result too small:…/crypto/ui/ui_lib.c:778:You must type in 4 to 1024 characters
140271773574400:error:2807106B:UI routines:UI_process:processing error:…/crypto/ui/ui_lib.c:493:while reading strings
140271773574400:error:0906406D:PEM routines:PEM_def_callback:problems getting password:…/crypto/pem/pem_lib.c:64:
140271773574400:error:0907E06F:PEM routines:do_pk8pkey:read key:…/crypto/pem/pem_pk8.c:83:

In my opinion, it looks like the system is asking a passphrase for private key. However, I don’t have that. The system used the following command to get the certificate.

certbot --nginx -n --agree-tos --email systems@mydomain --redirect --domains mail.mydomain

Can someone please explain what this is about and how to resolve it? I would really appreciate it if anyone can help me. Thanks a lot.



This is not relevant with let’s encrypt, rather than your way of generating PFX files.

This command is the real issue.

In your command, the password is an empty string, instead of no password…

Sadly i don’t know how to generate a no password PKCS12 without interaction…

Thank you



Yes, I made the export password deliberately empty, you are correct. But I still think this is related to private key passphrase. Because when I ran the openssl pkcs12 -in /tmp/cert.pfx -info command, the system actually asked the import password first and I just pressed Enter key, which kept going on shown as below.

Enter Import Password:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
[ … ]




As I said… When you set the pass: to empty, that means the password is “” instead of nothing…

And, certbot won’t generate a private key with passphrase, else you will be asked to enter it when you create the pfx file…

Thank you



And, certbot won’t generate a private key with passphrase, else you will be asked to enter it when you create the pfx file…

Okay, so I guess the certbot in my system also didn’t create a passphrase for the private key because it didn’t ask anything when I was creating the pfx file.

As I said… When you set the pass: to empty, that means the password is “” instead of nothing…

So, if I actually don’t want password, how should I do that? Is it not possible at all?

Also, another question is, what is the difference between Import Password and PEM pass phrase? What I thought was:

Import Password = Export Password when I was creating pfx file (which is “” in this case)
PEM pass phrase = pass phrase when creating a private key

Am I not following correctly? Thanks a lot.



I’m sorry… I actually just tested the command and see that even if I don’t provide an passphrase (private key), I was still able to export the keys into the pfx file. So the pem passphrase asked in status is actually asking for your private key password… (Which is a confusing point since if certbot generated those keys, there shouldn’t be any password)

TL.DR. it’s actually asking for private key passwords, not import / export passwords… sincerely apologise…

You are right… I’m wrong…

Can you please take a look at the private key file and see what it starts with? ( Is it with BEGIN RSA PRIVATE KEY or BEGIN ENCRYPTED PRIVATE KEY?)

thank you



I just had a look and the key file actually begins with ‘-----BEGIN PRIVATE KEY-----’ so I believe you are correct, the private key doesn’t have pass phrase.

I quickly looked up the manual for openssl and found this option for pkcs12: -nokeys. When I typed the command with that option, it actually showed the certificate only not the key, which might be what I actually want. So, from this point, I guess I can work with the automation work. Thanks a lot.


Glad you found what you want… Apologise for the misleading information I gave…

Just FYI: for certbot, there is a new option to let you reuse the key, so you won’t need to import the key every 90 days.

Thank you


So, this is almost certainly not what you want, as the private key is necessary to actually use the certificate, and it would not be exported in this case.

The flag you’re looking for is -nodes, I believe. What it’s asking you for is a passphrase to encrypt the PFX file with to present at least somewhat of a challenge to a malicious party who happens to intercept this file. You set the passphrase, but it has to be (as you saw) between 4 and 1024 characters. The -nodes flag says “don’t encrypt this”.


By the way, it took me a moment to understand what this flag was referring to, but it’s presumably “no DES” (don’t use the Data Encryption Standard) rather than the English word “nodes”.


That’s correct - I considered mentioning that but it seemed like potentially extraneous/confusing information. :grinning:



Thanks for the information. So, if I understood your message correctly, I actually have to type the command for export as below, correct?

openssl pkcs12 -export -nodes -out /tmp/cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

I thought the private key was also exported because when I typed the following command, the private key’s content was shown at the end of the output. Maybe I am wrong.

openssl pkcs12 -in /tmp/cert.pfx -info
[ … ]

Enter PEM pass phrase: <I typed just a random string here>
Verifying - Enter PEM pass phrase: <I typed the same as the above>
[ Content Removed ]==

For my curiosity, if I actually want to set a PEM pass phrase when exporting, is it possible to set by any flags? Thanks again.



I just tried with -nodes flag when exporting but the result is still the same. It asks PEM pass phrase. At this stage, all I can think about is touching the private key.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.