Rate this page

Flattr this

Remove the passphrase from an existing OpenSSL key file

Tested on

Debian (Lenny, Squeeze)
Ubuntu (Lucid, Precise, Trusty)


To remove the passphrase from an existing OpenSSL key file


In order to establish an SSL connection it is usually necessary for the server (and perhaps also the client) to authenticate itself to the other party. This is normally done using an X.509 certificate, which links the owner’s identity to a public key that can be used with a digital signature algorithm such as RSA or DSA. In order to use the public key it is necessary to know the corresponding private key, which can either be stored separately or in the same file as the certificate.

The private key is sometimes encrypted using a passphrase in order to protect it from loss. This is good for security, but often impracticable when the key is intended for use by a server. See below for a discussion of the security implications of removing the passphrase.

There are three commonly-used data formats for storing SSL private keys (OpenSSL, PKCS#8 and PKCS#12) and two encoding methods (DER and PEM). These instructions apply to encrypted RSA or DSA keys in OpenSSL format with PEM encoding. (The requirement does not arise when using OpenSSL format with DER encoding, as encryption is not then supported.)


Suppose you have an OpenSSL key file with the pathname /etc/ssl/private/example.key. It is currently protected by a passphrase which you wish to remove.


The passphrase can be removed using OpenSSL, which is provided by the openssl package on both Debian:

apt-get install openssl

and Red Hat-based systems:

yum install openssl

For RSA keys, a suitable command for removing the passphrase would be:

openssl rsa -in /etc/ssl/private/example.key -out /etc/ssl/private/example.nocrypt.key

For DSA keys, replace rsa with dsa:

openssl dsa -in /etc/ssl/private/example.key -out /etc/ssl/private/example.nocrypt.key

The rsa and dsa subcommands each take a private key as their input and produce one as their output. The output key is unencrypted by default, so removal of the passphrase need not be explicitly requested. The -in and -out options specify the pathnames of the input and output files respectively.

Security considerations


Encryption of the private key is a useful protection against loss, except that it is often impracticable to present the passphrase when it is needed.

To use a passphrase-protected certificate on a server the usual mode of operation is to prompt for the passphrase when the server process starts, then keep a copy of the key in memory while the process is running. There are at least three issues with this approach:

For these reasons it is not unusual for SSL certificates to be used without a passphrase, as in the example above. If you are concerned about the risk of loss then you may find that the following measures provide a better balance between security and availability:

See also

Tags: crypt | ssl