I am generating exporting some pkcs#12 files for testing purposes. These files are not being used in production and only exist temporary during automated testing.
I am using the following command:
openssl pkcs12 -export -nodes -out bundle.pfx -inkey mykey.key -in certificate.crt -certfile ca-cert.crt
Why is it insisting on an export password when I have included -nodes?
My OpenSSL version is OpenSSL 1.0.1f 6 Jan 2014 on Ubuntu Server 14.10 64-bit.
In interactive mode, when it prompts for a password, just press enter and there will be no password set.
If you are want to automate that (for example as an ansible command), use the -passout argument. It expects the parameter to be in the form pass:mypassword. Since we want no password:
openssl pkcs12 -export -nodes -out bundle.pfx -inkey mykey.key -in certificate.crt -certfile ca-cert.crt -passout pass:
tl;dr What you are trying to do simply can't be done with the OpenSSL command line utility. It can only be done programmatically using libcrypto, the crypto library of OpenSSL.
-nodes means "don't encrypt private key" but in a PKCS#12 file, the certificates are encrypted as well, so even with -nodes you'd need an export password.
See documentation of -descert which says:
Encrypt the certificate using triple DES; this may render the PKCS#12 file unreadable by some "export grade" software. By default, the private key is encrypted using triple DES and the certificate using 40-bit RC2.
So unless you use this option, the certificates are encrypted using RC2. You can change the algorithms for either key or certificate using the options -keypbe and -certpbe.
Also for openssl pkcs12 the -nodes option is only listed in the section:
The options for parsing a PKCS12 file are as follows:
But you are not parsing such a file, you are creating it and if you look at
The options for PKCS12 file creation are as follows:
the option -nodes is not even listed.
Just hitting return when prompted for a password also won't mean "no password" but it means "empty password" (your password is an empty string), which is legal. The reason why this works like no password in some cases is that some software will try to read PKCS#12 files with an empty string password first and only if that fails, prompt the user for an actual password, so if the password is empty, the user won't ever be prompted in these cases making it look like there is "no password" set.
This can cause issues in macOS and iOS, as Apple assumes that PKCS#12 always has a password set and it won't allow you to enter an "empty password", so if a file has an empty password set, it's impossible to import it on these systems. Firefox also had this issue in the very beginning but it was fixed 13 years ago.
When reading a PKCS#12 file, OpenSSL itself tries to distinguish "no password" and "empty password" only by guessing. Here is original code from the project:
/* If we enter empty password try no password first */
if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
/* If mac and crypto pass the same set it to NULL too */
if(!twopass) cpass = NULL;
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
BIO_printf (bio_err, "Mac verify error: invalid password?\n");
ERR_print_errors (bio_err);
goto end;
}
The first time NULL is passed for password, the second time the empty string is parsed for password. Now let's look at the code when creating a P12 file:
p12 = PKCS12_create(cpass, name, key, ucert, certs,
key_pbe, cert_pbe, iter, -1, keytype);
Theoretically this call would create a PKCS#12 file without a password if, and only if cpass is NULL, however, when this call is being made, it cannot be NULL because if you follow the code path from the beginning of the function to the call above, there is no code path that would lead to cpass being NULL in the end.
if(!cpass) {
if(export_cert) cpass = passout;
else cpass = passin;
}
if(cpass) {
mpass = cpass;
noprompt = 1;
} else {
cpass = pass;
mpass = macpass;
}
In case cpass was still NULL at the last if, it will be set to pass and pass is:
char pass[50], macpass[50];
This is a static static variable and when stored to a pointer, this pointer cannot be NULL. There is not other code that ever assigns a different value to cpass, so cpass can be an empty string but it can certainly not be NULL and thus no PKCS#12 file that OpenSSL will ever create on command line as no password. It may have an empty password but it certainly has a password.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 做个烂人 的文章《Export a PKCS#12 file without an export password?》','https://www.manongdao.com/article-221026.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}