How to remove Private Key Password from pkcs12 container?
- I extracted certificate using Chrome's SSL/export command.
- Then provided it as input to openvpn - in the config for openvpn:
pkcs12 "path/to/pkcs12_container"
- When calling
openvpn ~/openvp_config
it asks for a password for private key (wich I entered when exporting using Chrome):Enter Private Key Password:...
- I want to remove this password request.
The question: how to remove the password for private key from pkcs12?
That is, create pkcs12 file which doesn't require a password.
(seems that I already somehow did this a year ago, and now forgot it.damn.)
It can be achieved by various openssl
calls.
- PASSWORD is your current password
- YourPKCSFile is the file you want to convert
- NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase
First, extract the certificate:
$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" \
-out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD
Second, the CA key:
$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" \
-out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD
Now, the private key:
$ openssl pkcs12 -nocerts -in "YourPKCSFile" \
-out private.key -password pass:PASSWORD -passin pass:PASSWORD \
-passout pass:TemporaryPassword
Now remove the passphrase:
$ openssl rsa -in private.key -out "NewKeyFile.key" \
-passin pass:TemporaryPassword
Put things together for the new PKCS-File:
$ cat "NewKeyFile.key" \
"certificate.crt" \
"ca-cert.ca" > PEM.pem
And create the new file:
$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
-in PEM.pem -out "NewPKCSWithoutPassphraseFile"
Now you have a new PKCS12 key file without passphrase on the private key part.
The simplest solution I've found is
Export to temporary pem file
openssl pkcs12 -in protected.p12 -nodes -out temp.pem
# -> Enter password
Convert pem back to p12
openssl pkcs12 -export -in temp.pem -out unprotected.p12
# -> Just press [return] twice for no password
Remove temporary certificate
rm temp.pem
This can easily be done in one step with no temporary file:
openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"
Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>
Done.
Note that this handles any number of intermediate certificates that may be in the bundle...
I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...