Enter PEM pass phrase when converting PKCS#12 certificate into PEM

25
votes

I am using OpenSSL to convert my "me.p12" to PEM. When I generate "me.p12", I set a password for it. The "me.p12" contains a private key and a certificate.

When I convert it to PEM, I run command:

openssl pkcs12 -in me.p12 -out me.pem

Then, it asked me for Import Password:

Enter Import Password:
MAC verified OK

I entered the password I set to "me.p12", it was verified OK. But next, it ask me:

Enter PEM pass phrase:

I have no idea what is that? When I generate "me.p12" I haven't set any other password. So, what is that? How to figure this out?

3
opensslcommandpempkcs#12

3 Answers

37
votes

"Enter PEM pass phrase" because openssl doesn't want to output private key in clear text. The password is used to output encrypted private key

Below command can be used to output private key in clear text. No password is then asked.

openssl pkcs12 -nodes -in me.p12 -out me.pem
0
votes

I encountered the same case when this pass phrase appears for the first time, then you must install it, then later when the phrase appears again in the terminal, then you enter the pass phrase that you entered earlier.

0
votes

This is an all question but I think this is the right answer:

openssl pkcs12 \
  -passin pass:'your_pass' \ # Input file or pass phrase source
  -nodes \ # Don't encrypt private keys
  -in me.p12 \ # Input filename
  -out me.pem # Output filename

Usually you use it when writing a script it can be combined with:

openssl genrsa \
  -passout pass:'your_pass' \ # Output file or pass phrase source
  -out ca.key \
  -des3 2048