How to remove Private Key Password from pkcs12 container?

ssl-certificate openssl
  1. I extracted certificate using Chrome's SSL/export command.
  2. Then provided it as input to openvpn - in the config for openvpn:
    pkcs12 "path/to/pkcs12_container"
  3. When calling openvpn ~/openvp_config it asks for a password for private key (wich I entered when exporting using Chrome):
    Enter Private Key Password:...
  4. I want to remove this password request.

The question: how to remove the password for private key from pkcs12?

That is, create pkcs12 file which doesn't require a password.

(seems that I already somehow did this a year ago, and now forgot it.damn.)


It can be achieved by various openssl calls.

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" \
      -out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA key:

$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" \
      -out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -in "YourPKCSFile" \
      -out private.key -password pass:PASSWORD -passin pass:PASSWORD \
      -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -in private.key -out "NewKeyFile.key" \
      -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

$ cat "NewKeyFile.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NewPKCSWithoutPassphraseFile"

Now you have a new PKCS12 key file without passphrase on the private key part.


The simplest solution I've found is

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem

This can easily be done in one step with no temporary file:

openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"

Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>

Done.

Note that this handles any number of intermediate certificates that may be in the bundle...

I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...

Related

bash/sed/awk/etc remove every other newline
Is there any reason not to enforce HTTPS on a website?
Linux: How to know where a process was started and how it was started?
Are zipped EXE files harmless for Linux servers?
How can I successfully mount an 8-bit SCSI drive on a modern computer?
Windows TCP Window Scaling Hitting plateau too early
System process (PID 4) constantly accessing the hard disk
What's the difference between sudo su - postgres and sudo -u postgres?
How do I back up an AWS S3 Bucket without versioning the source bucket [closed]
What's the difference between a Layer 2 & Layer 3 switch
get notification when systemd-monitored service enters failed state
Is there a built-in command-line tool under Windows like wget/curl?