Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Need help on: openssl pkcs12 --- avoid or in batch mode

2,728 views
Skip to first unread message

John Chen

unread,
Mar 22, 2010, 10:00:54 AM3/22/10
to

Hi Dr Stephen Henson,

I really could not solve this issue and need your help.

When I run openssl pkcs12 -in new.crt -inkey new.key certfile .CA/cacert.pem out new.p12 export name xx

It will prompt user for:

 

Enter Export Password:

Verifying - Enter Export Password:

Is anyway I can manipulate or default or void those two prompts since those prompts useless in here.

I checked pkcs12 command options seems there is no batch mode.

I also tried using wrapping script but no help either.

Thanks in advance.

John

-----Original Message-----
From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Saturday, March 20, 2010 2:21 PM
To: openss...@openssl.org
Subject: Re: Apache client certificate authentication

On Sat, Mar 20, 2010, Graham Leggett wrote:

> On 2010/03/20 6:55 PM, Nuno Gonçalves wrote:

>

>> Questions:

>> Is normal that firefox hangs when it doesn't have a valid certificate

>> to provide?

>> Openssl output looks OK?(or the error in the end is a exception?)

>

> I am not 100% sure of the details, but I do recall a hang being a symptom

> of using a client or a server that did not have the TLS renegotiation bug

> fixed along with a server or client that did.

>

The only known case is an OpenSSL client without secure renegotiation support

(i.e. earlier than 0.9.8m) attempting to renegotiate with a server which does

support renegotiation. If the server initiates renegotiation you don't get a

a hang.

Steve.

--

Dr Stephen N. Henson. OpenSSL project core developer.

Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________

OpenSSL Project                                 http://www.openssl.org

User Support Mailing List                    openss...@openssl.org

Automated List Manager                           majo...@openssl.org

Mounir IDRASSI

unread,
Mar 22, 2010, 10:53:05 AM3/22/10
to
Hi John,

I have already answered your question on the list two days ago. Here is what I wrote :

To avoid the password prompt, you can add the argument "-password pass:" to the command line. This will use an empty password for the PKCS12 file.
For a non empty value, for example 1234, use "-password pass:1234" instead.

I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 3/22/2010 3:00 PM, John Chen wrote:
> Hi Dr Stephen Henson,
>
> I really could not solve this issue and need your help.
>

> When I run openssl pkcs12 -in new.crt -inkey new.key -certfile .CA/cacert.pem -out new.p12 -export -name "xx"

John Chen

unread,
Mar 24, 2010, 10:14:20 AM3/24/10
to

Hi guys,

 

I am still searching for the answer of batch mode on openssl pkcs12 but no luck.

Is anyone can help me a work around way to avoid

Enter Export Password:

Verifying – Enter Export Password:

 

Above to prompts.

 

Thanks

 

John

 

 

 

 

 

From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of John Chen
Sent: Monday, March 22, 2010 10:01 AM
To: openss...@openssl.org
Subject: Need help on: openssl pkcs12 --- avoid or in batch mode

 

Hi Dr Stephen Henson,

I really could not solve this issue and need your help.

When I run openssl pkcs12 -in new.crt -inkey new.key –certfile .CA/cacert.pem –out new.p12 –export –name “xx”

John Chen

unread,
Mar 24, 2010, 11:52:20 AM3/24/10
to

Hi guys,

 

I am still searching for the answer of batch mode on openssl pkcs12 but no luck.

Is anyone can help me a work around way to avoid

 

Enter Export Password:

Verifying – Enter Export Password:

 

 

Above two prompts.

 

 

Thanks

 

John

Dr. Stephen Henson

unread,
Mar 24, 2010, 12:02:14 PM3/24/10
to
On Wed, Mar 24, 2010, John Chen wrote:

> Hi guys,
>
>
>
> I am still searching for the answer of batch mode on openssl pkcs12 but
> no luck.
>
> Is anyone can help me a work around way to avoid
>
>
>
> Enter Export Password:
>

> Verifying - Enter Export Password:
>
>
>
>
>
> Above two prompts.
>
>

This has been answered several times on the mailing lists and in the manual
pages. See for example the -passout command line option:

http://www.openssl.org/docs/apps/pkcs12.html#
http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS

Mounir IDRASSI

unread,
Mar 24, 2010, 11:40:24 AM3/24/10
to
Hi John,

I have already answered your question twice on the list but it seems
that you didn't receive them for an unknown reason.
Look at the link below of OpenSSL list archive to reader what I wrote :

http://marc.info/?t=126901197400009&r=1&w=2

Have a nice day,


--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 3/24/2010 3:14 PM, John Chen wrote:
> Hi guys,
>
>
>
> I am still searching for the answer of batch mode on openssl pkcs12 but no luck.
>
> Is anyone can help me a work around way to avoid
>
> Enter Export Password:
>
> Verifying - Enter Export Password:
>
>
>

> Above to prompts.
>
>
>
> Thanks
>
>
>
> John
>
>
>
>
>
>
>
>
>
>
>
> From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of John Chen
> Sent: Monday, March 22, 2010 10:01 AM
> To: openss...@openssl.org
> Subject: Need help on: openssl pkcs12 --- avoid or in batch mode
>
>
>
> Hi Dr Stephen Henson,
>
> I really could not solve this issue and need your help.
>

> When I run openssl pkcs12 -in new.crt -inkey new.key -certfile .CA/cacert.pem -out new.p12 -export -name "xx"


>
> It will prompt user for:
>
>
>

> Enter Export Password:
>
> Verifying - Enter Export Password:
>

> Is anyway I can manipulate or default or void those two prompts since those prompts useless in here.
>
> I checked pkcs12 command options seems there is no batch mode.
>
> I also tried using wrapping script but no help either.
>
> Thanks in advance.
>
> John
>
> -----Original Message-----
> From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
> Sent: Saturday, March 20, 2010 2:21 PM
> To: openss...@openssl.org
> Subject: Re: Apache client certificate authentication
>
> On Sat, Mar 20, 2010, Graham Leggett wrote:
>
>
>> On 2010/03/20 6:55 PM, Nuno Gonçalves wrote:
>>
>
>>
>
>>> Questions:
>>>
>
>>> Is normal that firefox hangs when it doesn't have a valid certificate
>>>
>
>>> to provide?
>>>
>
>>> Openssl output looks OK?(or the error in the end is a exception?)
>>>
>
>>
>
>> I am not 100% sure of the details, but I do recall a hang being a symptom
>>
>
>> of using a client or a server that did not have the TLS renegotiation bug
>>
>
>> fixed along with a server or client that did.
>>
>
>>
> The only known case is an OpenSSL client without secure renegotiation support
>
> (i.e. earlier than 0.9.8m) attempting to renegotiate with a server which does
>
> support renegotiation. If the server initiates renegotiation you don't get a
>
> a hang.
>

0 new messages