Windows，OpenSSL从key.pem和cert.pem生成一个新的.pem

Question

I have the following files Cert.pem, Key.pem, CACert.pem

I have been told that I need to decrypt the key.pem. 1) What is the windows OpenSSL command to do this?

I need to combine the decrypted key.pem file with the cert.pem file to produce a new cert.pem file. 2) What is the windows OpenSSL command to do this?

Thanks

Answer 1

Unix installations of OpenSSL should include man pages, but Windows versions often do not because Windows doesn't usually have any way of finding and displaying them. man pages for the currently supported releases, plus 'master' which is the development head, are available on the OpenSSL website at https://www.openssl.org/docs/manpages.html . All OpenSSL 'commands' are actually run by the (single) program openssl , thus you execute pkey some args by running

 openssl pkey some args
 rem if openssl.exe is on your PATH or in the current directory, otherwise
 x:\path\to\openssl pkey some args

You don't mention having the password for the encrypted key file; I hope you do because you can't decrypt (or do anything else) without it.

For 1.0.0 up, pkey is the preferred way to convert private keys, including encrypting and decrypting; see its man page. In brief you simply tell pkey to read from the input file and write to the output file, and omit any specification of a cipher; that omission will cause it to write an unencrypted key. Note pkey will write the output in PKCS8 format, which is preferred for most purposes, but if you actually need a 'legacy' or 'traditional' format for some reason -- ask whoever 'told' you what software this file will be used with -- 1.1.0 pkey can do this but earlier cannot. If you are stuck with a 0.9.x release, usually only on obsolete systems, use pkcs8 -topk8 -nocrypt for PCKS8 output; see that.

If you need legacy/traditional format (on a release below 1.1.0) you must use the 'legacy' per-algorithm commands, so you need to know what algorithm your key(file) is . Look at the first line where it says -----BEGIN something PRIVATE KEY----- . If something is RSA, use rsa ; for DSA dsa ; for EC ec ; see the respective pages. If something is ENCRYPTED you must decrypt it to PkCS8 as above first, then look at it with asn1parse to determine which algorithm it is, but I expect it's not very likely someone who want a legacy unencrypted key will start with an PKCS8 encrypted one.

OpenSSL does not provide any special operation to combine PEM files, since concatenating files of many types is a common operation. On Unix this is canonically done with the cat program; on Windows it can be done by using the (builtin) copy command with plus-sign(s) in the source; on both Unix and Windows it can be done by creating a file and then appending to it like:

 copy decryptedkey.pem combined.pem
 type certificate.pem >> combined.pem
 rem >> means redirect the output from that command ('type') 
 rem normally on the console to _the end of_ the named file.

In this case you want to modify cert.pem by adding the contents of decryptedkey.pem, so just do

 type decryptedkey.pem >> cert.pem

Alternatively you can use a plaintext editor like notepad. Open both files; select all the text in the second file and copy (or cut) and paste it at the end of the first file; save the modified first file.