2

I am writing a script in Python to automate the creation of certificates. I can successfully use subprocess.Popen to pass input parameters into keytool, but I cannot figure out how to do it with OpenSSL. I have done a bunch of research and have tried using "-passout", "-passin", "passwd" in almost all permutations, but I always get an invalid parameter. I am trying to do this with "openssl ca" and "openssl req".

p = subprocess.Popen(['openssl', 'req', '-new', '-x509', '-extensions', 'v3_ca', '-keyout', 'c:\\cert\\sslcert\\private\\cakey.pem', '-out', 'c:\\cert\\sslcert\\cacert.pem', '-days', '3653', '-config', 'c:\\cert\\sslcert\\openssl.cnf'],stdin=subprocess.PIPE,stdout=subprocess.PIPE)
stdout, stderr = p.communicate(input='\nXFY-' +date +'\n' +email +'\n' +'\n' +'\n' +'\n' +common_name +'\n')

Any attempt I make with the password switches results in an "unknown option -passout(-passin,passwd etc.)". All I want to be able to do is automatically enter a password that was input earlier using "getpass" into the openssl command.

Right now, when the code executes, it gets to the above command and says "Enter PEM pass phrase: ". After I enter this, the remaining parameters that I have in communicate() get executed as expected...just cannot get it to automagically enter the PEM pass phrase. Some other questions on this site that are similar mention to use "expect" or "pexpect", but this seems overly complicated. Is this the only way? Plus, pexpect doesn't ship with Python 2.7 by default, so you would have to add it after installing Python and this is something that I will need to do frequently on different machines.

Edit: It looks like pexpect is for UNIX machines anyways. I am doing this on Windows.

Improve this question
6
  • Can you get a -passin arg to work with OpenSSL from the command line? Commented Jun 20, 2014 at 0:05
  • I cannot. I always get an "unknown option". I tried putting it right after openssl like openssl req -passin pass:password as well as in the end and middle somewhere, but it always says known option. Commented Jun 20, 2014 at 0:11
  • Actually, I just tried it again to make sure and it does not say "unknown option" when I throw it on at the end, but it still prompts for the "Enter PEM pass phrase: " part. Commented Jun 20, 2014 at 0:13
  • Ah, I don't think you need -passin, actually, since you are not supplying a key. Try -passout from the command line - I think that's what you're being prompted for. Commented Jun 20, 2014 at 0:26
  • So typing it in at the command shell (using -passout) works, but the exact same statement using subprocess.Popen, does not: p = subprocess.Popen(['openssl', 'req', '-passout pass:mypassword','-new', '-x509', '-extensions', 'v3_ca', '-keyout', 'c:\\cert\\sslcert\\private\\cakey.pem', '-out', 'c:\\cert\\sslcert\\cacert.pem', '-days', '3653', '-config', 'c:\\cert\\sslcert\\openssl.cnf'],stdin=subprocess.PIPE,stdout=subprocess.PIPE) stdout, stderr = p.communicate(input='\nXFAMILY-' +date +'\n' +email +'\n' +'\n' +'\n' +'\n' +common_name +'\n') I get an "unknown option". Commented Jun 20, 2014 at 0:43

1 Answer 1

Reset to default
3

When you pass arguments to Popen() you need to separate the options and the value. -passout pass:mypassword should be two arguments, not one.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you, this was the problem!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.