PowerShell – How to Create Certificate Using OpenSSL Without User Prompt for Passphrase

opensslpowershellssl-certificate

I'm setting up a development VDI, and need to automate creations of some certificates for accessing https://{foo}.local (127.0.0.1) websites duing dev and testing.

I'm only allowed to use OpenSSL and powershell and it must be unnattended, need to run this to automate setting up a developer VDI, so cannot have any user prompts.

I found lots of code with the following type of example but cant find a way to pass in the passphrase to use;

this is what I have so far…

openssl 
   req -x509 -newkey rsa:4096 -keyout 
   openssl.key -out openssl.crt -subj /CN=website.name 
   -days 300

this would then be followed by creating the actual certificate

openssl pck12 -export .... etc

As mentioned, I need to be able to provide a passphrase so that the above runs without any user intervention. The above code runs as expected, just …kicks up the prompt for passphrase.

i've tried various -passin {xyz} even -password pass:mysecret et al settings, to no avail.

Any ideas?
Txs,
A

Best Answer

Add the parameter -nodes to your openssl command.

openssl 
   req -x509 -newkey rsa:4096 -nodes -keyout 
   openssl.key -out openssl.crt -subj /CN=website.name 
   -days 300

This will skip the encryption of the private key. You will not be prompted for a passphrase.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Powershell – Run Elevated Powershell prompt from command-line

Sure... works on Windows 7+, too.

Open Powershell first:

Type PowerShell to enter a PowerShell session.

Once in the session:

Type Start-Process PowerShell -Verb RunAs and press Enter.

That will open a new Powershell process as Administrator.

------- OR -------

To do it all with only one line from the command prompt, just type:

powershell -Command "Start-Process PowerShell -Verb RunAs"

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Powershell – Run Elevated Powershell prompt from command-line

Related Topic