How to remove Private Key Password from pkcs12 container?

Solution 1:

It can be achieved by various openssl calls.

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" \
      -out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA key:

$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" \
      -out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -in "YourPKCSFile" \
      -out private.key -password pass:PASSWORD -passin pass:PASSWORD \
      -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -in private.key -out "NewKeyFile.key" \
      -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

$ cat "NewKeyFile.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NewPKCSWithoutPassphraseFile"

Now you have a new PKCS12 key file without passphrase on the private key part.

Solution 2:

The simplest solution I've found is

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem

Solution 3:

This can easily be done in one step with no temporary file:

openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"

Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>

Done.

Note that this handles any number of intermediate certificates that may be in the bundle...

I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...

Solution 4:

Now, the private key:

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TemporaryPassword

Remove now the passphrase:

openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

The 2 steps may be replaced by

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -nodes

Tags:

Openssl

Ssl Certificate

Recent Posts