Cannot decrypt private key eventhough I know passphrase

Solution 1:

I believe your private key was modified, as i was able to duplicate the same error message by changing a single character in a sample pass phrase protected key i just created.

You can reproduce this as follows -

  1. Create pass phrase protected private key
  2. Decrypt the private key to make sure it works.
  3. Change a single character inside the file containing the encrypted private key.
  4. Try to decrypt it now.
[testuser@whitehat .ssh]$ openssl rsa -in id_rsa -out id_rsa.decrypted
Enter pass phrase for id_rsa:
writing RSA key
[testuser@whitehat .ssh]$ ls -al id_rsa*
-rw-------. 1 testuser testuser 951 Mar 24 15:01 id_rsa
-rw-rw-r--. 1 testuser testuser 887 Mar 24 15:02 id_rsa.decrypted
-rw-r--r--. 1 testuser testuser 236 Mar 24 14:52 id_rsa.pub
[testuser@whitehat .ssh]$ vim id_rsa
[testuser@whitehat .ssh]$ openssl rsa -in id_rsa -out id_rsa.decrypted
Enter pass phrase for id_rsa:
unable to load Private Key
139900595279688:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
139900595279688:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:
139900595279688:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=RSA
139900595279688:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:
139900595279688:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
139900595279688:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:
139900595279688:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO
139900595279688:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:
[testuser@whitehat .ssh]$ 

OS and openssl version info

[testuser@whitehat /]$ lsb_release -a
LSB Version:    :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: Scientific
Description:    Scientific Linux release 6.2 (Carbon)
Release:    6.2
Codename:   Carbon
[testuser@whitehat /]$ rpm -q openssl
openssl-1.0.1e-30.el6_6.5.x86_64

Solution 2:

I ended up here because I had the same problem, but mine was caused by the AWS ACM certificate export interface. (Private CA certificates can be exported with a passphrase)

Something about the particular passphrase I used... Not sure exactly what caused the issue, but it was likely the length, or symbols used.

The end result was I had a key with a different/shortened passphrase to what I expected.

Hope that helps someone...