Neat trick with OpenSSL is that a bunch of variables can be substituted with environment variables. Now you may be thinking, "yeah, they call it scripting" but the reality is a bit more subtle. For instance you want to pass credentials to a chain of openssl commands. You can substitute the credential in your script but the credential ends up in logs (ie. using sudo) or the process list thereby exposing the credentials to the untrained eye.

With this option you tell openssl... 'for this value lookup the environment variable X' so upon invocation your command string shows only the variable name and not the credential.

Here is an example script which illustrates this by dumping the contents of a wack load of PKCS12 certificate stores.

Note the passwords for import and keys are passed in without exposing the credentials outside of the process environment.

Pretty slick bit of functionality.

#!/bin/sh #./check_certificates.sh 2>/dev/null | grep 'CN=.*example.com$' <--- dump certificates grab .gwl.bz hostnames from CNs PACKAGE_FOLDER=packages/ EXPORT_PASSWORD="ZOMGWTFBBQ^2!"

export EXPORT_PASSWORD for HOST in `cat hosts.txt`; do # Show contents of PCKS12 package, don't care if it's named p12 or pfx. openssl pkcs12 -info -in ${PACKAGE_FOLDER}/${HOST}.p* -passin env:EXPORT_PASSWORD -passout env:EXPORT_PASSWORD done

# Not _entirely_ necessary but never hurts. EXPORT_PASSWORD="" export EXPORT_PASSWORD