I'd like to ask the question about the exporting a certificate using openssl command. In essence, I have to export the certificate and import it to MS Exchange server and this job should be automated as a regular job such as cron.
So, exporting certificate was actually fine, it had no problems. I ran the following commands to do so.
Of course, I don't know what that means so I just pressed Enter key and the following happened.
Error outputting keys and certificates
140271773574400:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:778:You must type in 4 to 1024 characters
140271773574400:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:493:while reading strings
140271773574400:error:0906406D:PEM routines:PEM_def_callback:problems getting password:../crypto/pem/pem_lib.c:64:
140271773574400:error:0907E06F:PEM routines:do_pk8pkey:read key:../crypto/pem/pem_pk8.c:83:
In my opinion, it looks like the system is asking a passphrase for private key. However, I don't have that. The system used the following command to get the certificate.
Yes, I made the export password deliberately empty, you are correct. But I still think this is related to private key passphrase. Because when I ran the openssl pkcs12 -in /tmp/cert.pfx -info command, the system actually asked the import password first and I just pressed Enter key, which kept going on shown as below.
Enter Import Password:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
[ ... ]
And, certbot wonāt generate a private key with passphrase, else you will be asked to enter it when you create the pfx fileā¦
Okay, so I guess the certbot in my system also didn't create a passphrase for the private key because it didn't ask anything when I was creating the pfx file.
As I saidā¦ When you set the pass: to empty, that means the password is āā instead of nothingā¦
So, if I actually don't want password, how should I do that? Is it not possible at all?
Also, another question is, what is the difference between Import Password and PEM pass phrase? What I thought was:
Import Password = Export Password when I was creating pfx file (which is "" in this case)
PEM pass phrase = pass phrase when creating a private key
I'm sorry... I actually just tested the command and see that even if I don't provide an passphrase (private key), I was still able to export the keys into the pfx file. So the pem passphrase asked in status is actually asking for your private key password... (Which is a confusing point since if certbot generated those keys, there shouldn't be any password)
TL.DR. it's actually asking for private key passwords, not import / export passwords.. sincerely apologise..
You are right... I'm wrong..
Can you please take a look at the private key file and see what it starts with? ( Is it with BEGIN RSA PRIVATE KEY or BEGIN ENCRYPTED PRIVATE KEY?)
I just had a look and the key file actually begins with ā-----BEGIN PRIVATE KEY-----ā so I believe you are correct, the private key doesnāt have pass phrase.
I quickly looked up the manual for openssl and found this option for pkcs12: -nokeys. When I typed the command with that option, it actually showed the certificate only not the key, which might be what I actually want. So, from this point, I guess I can work with the automation work. Thanks a lot.
So, this is almost certainly not what you want, as the private key is necessary to actually use the certificate, and it would not be exported in this case.
The flag youāre looking for is -nodes, I believe. What itās asking you for is a passphrase to encrypt the PFX file with to present at least somewhat of a challenge to a malicious party who happens to intercept this file. You set the passphrase, but it has to be (as you saw) between 4 and 1024 characters. The -nodes flag says ādonāt encrypt thisā.
By the way, it took me a moment to understand what this flag was referring to, but it's presumably "no DES" (don't use the Data Encryption Standard) rather than the English word "nodes".
I thought the private key was also exported because when I typed the following command, the private key's content was shown at the end of the output. Maybe I am wrong.
openssl pkcs12 -in /tmp/cert.pfx -info
[ ... ]
Enter PEM pass phrase: <I typed just a random string here>
Verifying - Enter PEM pass phrase: <I typed the same as the above>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[ Content Removed ]==
-----END ENCRYPTED PRIVATE KEY-----
For my curiosity, if I actually want to set a PEM pass phrase when exporting, is it possible to set by any flags? Thanks again.
I just tried with -nodes flag when exporting but the result is still the same. It asks PEM pass phrase. At this stage, all I can think about is touching the private key.
