Remove the passphrase from an existing OpenSSL key file
|Debian (Lenny, Squeeze)|
|Ubuntu (Lucid, Precise, Trusty)|
To remove the passphrase from an existing OpenSSL key file
In order to establish an SSL connection it is usually necessary for the server (and perhaps also the client) to authenticate itself to the other party. This is normally done using an X.509 certificate, which links the owner’s identity to a public key that can be used with a digital signature algorithm such as RSA or DSA. In order to use the public key it is necessary to know the corresponding private key, which can either be stored separately or in the same file as the certificate.
The private key is sometimes encrypted using a passphrase in order to protect it from loss. This is good for security, but often impracticable when the key is intended for use by a server. See below for a discussion of the security implications of removing the passphrase.
There are three commonly-used data formats for storing SSL private keys (OpenSSL, PKCS#8 and PKCS#12) and two encoding methods (DER and PEM). These instructions apply to encrypted RSA or DSA keys in OpenSSL format with PEM encoding. (The requirement does not arise when using OpenSSL format with DER encoding, as encryption is not then supported.)
Suppose you have an OpenSSL key file with the pathname
/etc/ssl/private/example.key. It is currently protected by a passphrase which you wish to remove.
The passphrase can be removed using OpenSSL, which is provided by the
openssl package on both Debian:
apt-get install openssl
and Red Hat-based systems:
yum install openssl
For RSA keys, a suitable command for removing the passphrase would be:
openssl rsa -in /etc/ssl/private/example.key -out /etc/ssl/private/example.nocrypt.key
For DSA keys, replace
openssl dsa -in /etc/ssl/private/example.key -out /etc/ssl/private/example.nocrypt.key
dsa subcommands each take a private key as their input and produce one as their output. The output key is unencrypted by default, so removal of the passphrase need not be explicitly requested. The
-out options specify the pathnames of the input and output files respectively.
Encryption of the private key is a useful protection against loss, except that it is often impracticable to present the passphrase when it is needed.
To use a passphrase-protected certificate on a server the usual mode of operation is to prompt for the passphrase when the server process starts, then keep a copy of the key in memory while the process is running. There are at least three issues with this approach:
- The server process cannot be restarted unless there is someone in attendance who is able to enter the passphrase.
- Restarting the server process will take longer than would otherwise be the case due to the time taken entering the passphrase.
- Even if the key exists only in memory, that does not make it completely inaccessible to an attacker.
For these reasons it is not unusual for SSL certificates to be used without a passphrase, as in the example above. If you are concerned about the risk of loss then you may find that the following measures provide a better balance between security and availability:
- Use a separate machine to perform the SSL encapsulation. This can then be hardened to a significantly greater extent than would be possible if it were also serving the content.
- Make the validity period of the certificate as short as possible. You should not normally do this when using self-signed certificates, because you would increase the risk during distribution, but a short validity period is feasible if you are running a local certificate authority.