How to specify CA private key password for client certificate creation using OpenSSL
I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365
Answer
Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365