remove empty passphrase from ssl key using openssl

I have an openssl key file encrypted with an empty passphrase. I'm trying to remove the passphrase using this command

openssl rsa -in ca.key -out ca.key.clear

I then try to enter the empty passphrase when it asks for the current passphrase, but I get this error:

140592616367776:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters

So it seems I cannot remove a passphrase if it is less than 4 characters.

How do I remove the passphrase, ideally using openssl.


Solution 1:

I came up with a workaround using the etcd-ca tool.

mkdir .etcd-ca
mv ca.key .etcd-ca/ca.host.key
touch .etcd-ca/ca.host.crt
chmod a-w .etcd-ca/ca.host.crt
etcd-ca export --insecure ca > ca.tar
tar xf ca.tar

It's not pretty, but it worked. I still don't know how to achieve this using openssl though.

Solution 2:

It's true you cannot get PEM_bytes_read_bio and PEM_do_header, which is where the legacy-PEM decrypts end up, to take a zero-length passphrase, nohow.

There is a workaround, but you may not like it:

# assumes DES3 (aka DES-EDE3) CBC as in the example
# changes and/or additional logic needed for other ciphers

# get the IV from the file header 
iv=`awk <silly -F, '/DEK-Info:/{print $2}'`
# use enc to do EVP_BytesToKey with salt=IV and just print result 
key=`openssl enc -des3 -k '' -S $iv -P |awk -F= '/^key/{print $2}'`
# get body of the file, debase64 and decrypt 
# note openssl silently drops dash-END line, another debase64 may not 
<silly sed '1,/^$/d' |openssl base64 -d |openssl enc -des3 -d -K $key -iv $iv >sillyd

# sillyd is now unencrypted DER "legacy" (PKCS#1) 
# and can be read by "openssl rsa <sillyd -inform der"
# but since we're on a roll let's do PEM too!
(echo -----BEGIN RSA PRIVATE KEY-----;openssl base64 <sillyd;\
 echo -----END RSA PRIVATE KEY-----) >sillyp

My suggestion: next time don't use an empty passphrase :-)

Solution 3:

Here is how I got around this problem..

  1. Add a new passphrase to the private key that was originally created without a passphrase.

    openssl rsa -des3 -in your.key -out your.encrypted.key
    mv your.encrypted.key your.key
    

This will prompt you to enter a new passphrase.

  1. Now remove the passphrase as follows:

    openssl rsa -in your.key -out your.key_NO_PASSPHRASE.pem
    
  2. This will prompt you to enter the passphrase specified in Step 1. above and will then remove it from the Key.

This worked for me and Apache started without any errors. (I'm assuming that's why you needed to remove it in the first place :) )