Pass in a password into OpenSSL using Python

Question

I am writing a script in Python to automate the creation of certificates. I can successfully use subprocess.Popen to pass input parameters into keytool, but I cannot figure out how to do it with OpenSSL. I have done a bunch of research and have tried using "-passout", "-passin", "passwd" in almost all permutations, but I always get an invalid parameter. I am trying to do this with "openssl ca" and "openssl req".

p = subprocess.Popen(['openssl', 'req', '-new', '-x509', '-extensions', 'v3_ca', '-keyout', 'c:\\cert\\sslcert\\private\\cakey.pem', '-out', 'c:\\cert\\sslcert\\cacert.pem', '-days', '3653', '-config', 'c:\\cert\\sslcert\\openssl.cnf'],stdin=subprocess.PIPE,stdout=subprocess.PIPE)
stdout, stderr = p.communicate(input='\nXFY-' +date +'\n' +email +'\n' +'\n' +'\n' +'\n' +common_name +'\n')

Any attempt I make with the password switches results in an "unknown option -passout(-passin,passwd etc.)". All I want to be able to do is automatically enter a password that was input earlier using "getpass" into the openssl command.

Right now, when the code executes, it gets to the above command and says "Enter PEM pass phrase: ". After I enter this, the remaining parameters that I have in communicate() get executed as expected...just cannot get it to automagically enter the PEM pass phrase. Some other questions on this site that are similar mention to use "expect" or "pexpect", but this seems overly complicated. Is this the only way? Plus, pexpect doesn't ship with Python 2.7 by default, so you would have to add it after installing Python and this is something that I will need to do frequently on different machines.

Edit: It looks like pexpect is for UNIX machines anyways. I am doing this on Windows.

Answer 1

When you pass arguments to Popen() you need to separate the options and the value. -passout pass:mypassword should be two arguments, not one.