The intent of this post is to list the steps to generate a self signed user certificate that has an encrypted private key with a passphrase.
Generate private key with passphrase
bash> openssl genrsa -des3 -passout pass:1234 -out client_key.pem 2048
(it has to be atleast 4 characters long)
To verify that this is encrypted private key, easy step is to open this private key in an editor & it will have content like;
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,974D80EBEF938726
hWANCxIG3lT1qaoTqza84pk10JeGD2vUXoVRj92WI2k+eYJvVhnW/tz5cZzNeozu
............................................
............................................
............................................
-----END RSA PRIVATE KEY-----
Generate csr using above generated private key
bash> openssl req -out client.csr -new -nodes -key client_key.pem -sha256
(to proceed, it will ask you for the private key passphrase)
Self Sign the user certifcate with Root CA
bash> openssl x509 -req -days 360 -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client_cert.pem -sha256
(you will be asked for ca cert key password)
Hope this helps :-)
Enjoy :-)