How to generate an openSSL key using a passphrase from the command line?

openssl
Mawg says reinstate Monica picture Mawg says reinstate Monica · Nov 28, 2010 · Viewed 224.1k times · Source

First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something "good enough" to keep casual hackers at bay.

Second - how do I generate a key pair form the command line, supplying the passphrase on the command line?

I finally got it working using these commands, using exec() which it is generally reckoned not safe to use, being better to give the PassPhrase in a file. I can accept this risk as I am sure that the PHP will only ever be executed on my PC (which runs windows & doesn't have a PS command).

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

Many many thanks to @caf, without whom this would not have been possible.

Only one regret - that, no matter how much I Google, no one can seem to get openssl_pkey_new() working with Xampp on Windows (which is the proper way to generate a key pair)

Answer

caf picture caf · Nov 29, 2010

If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.

You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):

openssl genrsa -aes128 -passout pass:foobar 3072

However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.

A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:

openssl genrsa -aes128 -passout file:passphrase.txt 3072

Or supply the passphrase on standard input:

openssl genrsa -aes128 -passout stdin 3072

You can also used a named pipe with the file: option, or a file descriptor.

To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:

openssl rsa -passin file:passphrase.txt -pubout

(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>).

Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar:

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

Related questions

How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
How to get .pem file from .key and .crt files?

How can I create a PEM file from an SSL certificate? These are the files that I have available: .crt server.csr server.key

Read More
Using openssl to get the certificate from a server

I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my java application. A senior dev (who is on holidays :( ) informed me I can run this: …

Read More