Generating non-exportable private keys with OpenSSL ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I need some help from you, please...

I need to generate certificates with OpenSSL, but I need the private
keys be non-exportable. How can I do it?

By default, when I generate my certificates whith a RSA private key,
for example, and I import them to the browser, it always asks me if I
want to mark its key as exportable, but It wouldn't happen, this
checkbox would be inactive.

With Microsoft certreq/certutil , I can generate a certificate doing
this, but I don't want to use them, I prefer OpenSSL because its more
powerful characteristics.

Here's my example batch script (in Windows):

------------- 8< CUT HERE 8< -------------
\openssl\bin\openssl genrsa -out \myCA\clients\keys\client-priv.pem

\openssl\bin\openssl req -new -key \myCA\clients\keys\client-priv.pem -
subj "/DC=myentreprise/OU=com/CN=My Entreprise SL" -out \myCA\clients

echo basicConstraints=critical,CA:FALSE > \myCA\config2.txt
echo extendedKeyUsage=clientAuth >> \myCA\config2.txt

\openssl\bin\openssl x509 -CA \myCA\cacert.pem -CAkey \myCA\cakey.pem -
req -in \myCA\clients\csr\req-client-cert.pem -set_serial 3 -days 15 -
extfile \myCA\config2.txt -sha1 -out \aequifxCA\clients\certs\client-

\openssl\bin\openssl pkcs12 -export -in \myCA\clients\certs\client-
cert.pem -inkey \myCA\clients\keys\client-priv.pem -certfile \aequifxCA
\cacert.pem -out \myCA\clients\browser\client-cert-pkcs12.p12

------------- 8< CUT HERE 8< -------------

Thanks in advance,

Marcos Martinez

Site Timeline