openssl:如何在脚本中将 pfx 转换为 pem

openssl: how to convert pfx into pem in a script

如果 运行 openssl pkcs12 -in cert.pfx -out cert.pem -password pass:mypass,我可以成功地将 pfx 转换为 pem。系统会提示我输入 PEM 密码,以便私钥在 .pem 文件中加密。

但是在脚本中,如何自动输入 PEM 密码?我尝试使用 -passin 参数但没有效果。

我猜想如果我单独连接 PEM 证书和 PEM 密钥(不是来自 pfx),这相当于从 pfx 转换为 pem,但是来自 PFX 的 PEM 文件有那些 Bag base64 字符串之外的属性,我不知道这是否重要。

那么,我如何正确 "create" 带有加密私钥的 PEM 文件,而不提示输入密码?

如果您查看 openssl pkcs12 文档,您将看到:

-passin arg

The PKCS#12 file (i.e. input file) password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

-passout arg

Pass phrase source to encrypt any outputted private keys with. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

你指向的是:

Pass Phrase Options

Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.

Note that character encoding may be relevant, please see passphrase-encoding(7).

pass:password

The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var

Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname

The first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number

Read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin

Read the password from standard input.

所以要将它们放在一起,您可以这样做:

openssl pkcs12 -in cert.pfx -out cert.pem -passin pass:mypass -passout: pass:mypass

至于为什么 -password 对您不起作用:

-password arg

With -export, -password is equivalent to -passout. Otherwise, -password is equivalent to -passin.

因此,由于您没有使用“-export”,它的作用与“-passin”选项相同。由于这种行为,我喜欢明确地使用“-passin”和“-passout”。