5

It is not clear to me what the second command does

openssl genrsa -des3 -passout pass:123 -out private/server.key 2048
openssl rsa -passin pass:123 -in private/server.key -out private/server.key

The first one generate a RSA key encrypted using des3 with pass 123. What about the second one? Does it remove the password?

Thank you,

user217354
  • 53
  • 1
  • 1
  • 3

1 Answers1

4

The first one generate a RSA key encrypted using des3 with pass 123. What about the second one? Does it remove the password?

Yes, that is what is happening. The normal form for removing a passphrase from an encrypted private key is:

rsa -in some.key -out some.key

This prompts the user for the passphrase at the command line.

The use of -passin stems from the fact (as noted) the key was encrypted in the first step and whomever wrote the command wanted the passphrase supplied automatically (with no prompting).

Specifically, -passin indicates "the input file password source", which can be a password, a file or other arguments.

Anaksunaman
  • 16,718
  • 4
  • 38
  • 45
  • So do you think it is trying to re-encrypt the key or is it a convenient way to avoid user input during the process? How can RSA cmd removes the pw without asking it? – user217354 Sep 28 '17 at 09:58
  • Apologies. The answer erroneously gave partially incorrect information. There are no passphrases for non-encrypted private keys. The usage is for convenience, as you surmised. Normally, passphrases are prompted for at the command line after running the initial command listed (which then unencrypts the private key assuming the passwords match). – Anaksunaman Sep 28 '17 at 13:45