Generate Ssl Key Without Passphrase
In this article you’ll find how to generate CSR (Certificate Signing Request) using OpenSSL from the Linux command line, without being prompted for values which go in the certificate’s subject field.
Dec 03, 2011 You can use the following single step command if this is what you need and you should be good to go requesting the certificate from the Certificate Authority (or your SSL vendor) or jump to the self-generated certificate step further below otherwise. Generate a private key without passphrase + CSR. The command -generate-key may be used along with the option -batch for unattended key generation. This is the most flexible way of generating keys, but it is also the most complex one. Consider using the quick key manipulation interface described in the previous subsection “The quick key. If you use a strong passphrase and someone steals the key from your USB device, they won’t be able to use it without the password. When you’re done, you will see something similar to the below image.
- Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding. According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.
- The “X.509” is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up.
Below you’ll find two examples of creating CSR using OpenSSL.
In the first example, i’ll show how to create both CSR and the new private key in one command.
And in the second example, you’ll find how to generate CSR from the existing key (if you already have the private key and want to keep it).
Both examples show how to create CSR using OpenSSL non-interactively (without being prompted for subject), so you can use them in any shell scripts.
Create CSR and Key Without Prompt using OpenSSL
Use the following command to create a new private key 2048 bits in size example.key and generate CSR example.csr from it:
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -nodes | if a private key is created it will not be encrypted |
| -newkey | creates a new certificate request and a new private key |
| rsa:2048 | generates an RSA key 2048 bits in size |
| -keyout | the filename to write the newly created private key to |
| -out | specifies the output filename |
| -subj | sets certificate subject |
Generate CSR From the Existing Key using OpenSSL
Use the following command to generate CSR example.csr from the private key example.key:
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -new | generates a new certificate request |
| -key | specifies the file to read the private key from |
| -out | specifies the output filename |
| -subj | sets certificate subject |
Windows Generate Ssl Key
Automated Non-Interactive CSR Generation
Generate Ssl Key Without Passphrase Change
The magic of CSR generation without being prompted for values which go in the certificate’s subject field, is in the -subj option.
Generate Ssl Certificate Without Passphrase
| -subj arg | Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as /type0=value0/type1=value1/type2=…, characters may be escaped by (backslash), no spaces are skipped. |
The fields, required in CSR are listed below:
| Field | Meaning | Example |
|---|---|---|
| /C= | Country | GB |
| /ST= | State | London |
| /L= | Location | London |
| /O= | Organization | Global Security |
| /OU= | Organizational Unit | IT Department |
| /CN= | Common Name | example.com |
You’ve created encoded file with certificate signing request.
Now you can decode CSR to verify that it contains the correct information.