如果运行 openssl pkcs12 -in cert.pfx -out cert.pem -password pass:mypass,我可以成功地将 pfx 转换为 pem。系统会提示我输入 PEM 密码,以便私钥在 .pem 文件内加密。
但是在脚本中,如何自动输入 PEM 密码?我尝试使用 -passin 参数,但没有效果。
我猜测,如果我单独连接 PEM 证书和 PEM key (不是来自 pfx),则相当于从 pfx 转换为 pem,但是来自 PFX 的 PEM 文件具有外部的这些 Bag 属性base64 字符串,我不知道这是否重要。
那么,如何使用加密的私钥正确“创建”PEM 文件,而不提示输入密码?
最佳答案
如果您查看openssl pkcs12您将看到的文档:
-passin arg
The PKCS#12 file (i.e. input file) password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
-passout arg
Pass phrase source to encrypt any outputted private keys with. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
这向您指出:
Pass Phrase Options
Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.
Note that character encoding may be relevant, please see passphrase-encoding(7).
pass:password
The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var
Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname
The first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number
Read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin
Read the password from standard input.
因此,将它们放在一起,您可以执行以下操作:
openssl pkcs12 -in cert.pfx -out cert.pem -passin pass:mypass -passout: pass:mypass
至于为什么 -password 对你不起作用:
-password arg
With -export, -password is equivalent to -passout. Otherwise, -password is equivalent to -passin.
因此,由于您没有使用“-export”,因此它的作用与“-passin”选项相同。由于这种行为,我喜欢明确使用“-passin”和“-passout”。
关于openssl:如何在脚本中将 pfx 转换为 pem,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55185525/