remove empty passphrase from ssl key using openssl

passphrase openssl

I have an openssl key file encrypted with an empty passphrase. I'm trying to remove the passphrase using this command

openssl rsa -in ca.key -out ca.key.clear

I then try to enter the empty passphrase when it asks for the current passphrase, but I get this error:

140592616367776:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters

So it seems I cannot remove a passphrase if it is less than 4 characters.

How do I remove the passphrase, ideally using openssl.


Solution 1:

I came up with a workaround using the etcd-ca tool.

mkdir .etcd-ca
mv ca.key .etcd-ca/ca.host.key
touch .etcd-ca/ca.host.crt
chmod a-w .etcd-ca/ca.host.crt
etcd-ca export --insecure ca > ca.tar
tar xf ca.tar

It's not pretty, but it worked. I still don't know how to achieve this using openssl though.

Solution 2:

It's true you cannot get PEM_bytes_read_bio and PEM_do_header, which is where the legacy-PEM decrypts end up, to take a zero-length passphrase, nohow.

There is a workaround, but you may not like it:

# assumes DES3 (aka DES-EDE3) CBC as in the example
# changes and/or additional logic needed for other ciphers

# get the IV from the file header 
iv=`awk <silly -F, '/DEK-Info:/{print $2}'`
# use enc to do EVP_BytesToKey with salt=IV and just print result 
key=`openssl enc -des3 -k '' -S $iv -P |awk -F= '/^key/{print $2}'`
# get body of the file, debase64 and decrypt 
# note openssl silently drops dash-END line, another debase64 may not 
<silly sed '1,/^$/d' |openssl base64 -d |openssl enc -des3 -d -K $key -iv $iv >sillyd

# sillyd is now unencrypted DER "legacy" (PKCS#1) 
# and can be read by "openssl rsa <sillyd -inform der"
# but since we're on a roll let's do PEM too!
(echo -----BEGIN RSA PRIVATE KEY-----;openssl base64 <sillyd;\
 echo -----END RSA PRIVATE KEY-----) >sillyp

My suggestion: next time don't use an empty passphrase :-)

Solution 3:

Here is how I got around this problem..

  1. Add a new passphrase to the private key that was originally created without a passphrase.

    openssl rsa -des3 -in your.key -out your.encrypted.key
mv your.encrypted.key your.key

This will prompt you to enter a new passphrase.

  1. Now remove the passphrase as follows:

    openssl rsa -in your.key -out your.key_NO_PASSPHRASE.pem

  2. This will prompt you to enter the passphrase specified in Step 1. above and will then remove it from the Key.

This worked for me and Apache started without any errors. (I'm assuming that's why you needed to remove it in the first place :) )

Related

is there a standard for chaining x-forwarded-for headers?
Host keeps asking for password when using SSH Keys with PuTTY for Windows
logstash failing to parse syslog input
How to disable update notification in gcloud command?
Can't use ctrl+c to kill process in VM
How Does DNSWL work? How can I gain better trust? [closed]
Cloudflare integration with Azure websites
Postfix: disable "sender non-delivery notification" from MAILER-DAEMON
Postfix connected to Load Balancer, how to turn down connect/disconnect messages in mail.log
How to get color output from SSH command
Debian 8 resolv.conf overwritten by IPv6 autoconfiguration/DHCP when DHCP disabled
What's the top normal S.M.A.R.T. temperature for HGST Helium Ultrastar 8TB 7200 RPM SAS 12Gb/s enterprise drives?