How to specify CA private key password for client certificate creation using OpenSSL

Dio F picture Dio F · May 24, 2015 · Viewed 19k times · Source

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.

I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?

So far, I have ...

openssl x509
  -req
  -in client.csr
  -signkey client.key
  -passin pass:clientPK
  -CA client-ca.crt
  -CAkey client-ca.key 
  -CAkeypassin pass:client-caPK <-- does not work
  -CAcreateserial
  -out client.crt
  -days 365

See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.

Corrected

Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.

openssl x509
  -req
  -in client.csr
  -CA client-ca.crt
  -CAkey client-ca.key 
  -passin pass:CAPKPassword
  -CAcreateserial
  -out client.crt
  -days 365

Answer

Prabhu picture Prabhu · May 24, 2015

Use -passin pass as shown below.

 openssl x509
      -req
      -in client.csr
      -signkey client.key
      -passin pass:clientPK
      -CA client-ca.crt
      -CAkey client-ca.key 
      -passin pass:secret <-- try this
      -CAcreateserial
      -out client.crt
      -days 365