How to remove Private Key Password from pkcs12 container?

  1. I extracted certificate using Chrome's SSL/export command.
  2. Then provided it as input to openvpn - in the config for openvpn:
    pkcs12 "path/to/pkcs12_container"
  3. When calling openvpn ~/openvp_config it asks for a password for private key (wich I entered when exporting using Chrome):
    Enter Private Key Password:...
  4. I want to remove this password request.

The question: how to remove the password for private key from pkcs12?

That is, create pkcs12 file which doesn't require a password.

(seems that I already somehow did this a year ago, and now forgot it.damn.)


It can be achieved by various openssl calls.

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" \
      -out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA key:

$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" \
      -out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -in "YourPKCSFile" \
      -out private.key -password pass:PASSWORD -passin pass:PASSWORD \
      -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -in private.key -out "NewKeyFile.key" \
      -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

$ cat "NewKeyFile.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NewPKCSWithoutPassphraseFile"

Now you have a new PKCS12 key file without passphrase on the private key part.


The simplest solution I've found is

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem

This can easily be done in one step with no temporary file:

openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"

Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>

Done.

Note that this handles any number of intermediate certificates that may be in the bundle...

I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...