61
  1. I extracted certificate using Chrome's SSL/export command.
  2. Then provided it as input to openvpn - in the config for openvpn:
    pkcs12 "path/to/pkcs12_container"
  3. When calling openvpn ~/openvp_config it asks for a password for private key (wich I entered when exporting using Chrome):
    Enter Private Key Password:...
  4. I want to remove this password request.

The question: how to remove the password for private key from pkcs12?

That is, create pkcs12 file which doesn't require a password.

(seems that I already somehow did this a year ago, and now forgot it.damn.)

Ayrat
  • 713

8 Answers8

77

It can be achieved by various openssl calls.

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -legacy -in "YourPKCSFile" \
      -out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA key:

$ openssl pkcs12 -cacerts -nokeys -legacy -in "YourPKCSFile" \
      -out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -legacy -in "YourPKCSFile" \
      -out private.key -password pass:PASSWORD -passin pass:PASSWORD \
      -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -legacy -in private.key -out "NewKeyFile.key" \
      -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

$ cat "NewKeyFile.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NewPKCSWithoutPassphraseFile"

Now you have a new PKCS12 key file without passphrase on the private key part.

BradChesney79
  • 69
zero0
  • 1,497
  • 16
  • 14
57

The simplest solution I've found is

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem
Koen.
  • 936
13

This can easily be done in one step with no temporary file:

openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"

Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>

Done.

Note that this handles any number of intermediate certificates that may be in the bundle...

I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...

tlhackque
  • 139
2

Unfortunately none of the answers posted thus far are correct, as they just supply a blank password as opposed to no password, which means that you will still get prompted for a password in the first place.

For the sake of keeping everything together in one place, I'll copy @slm's post with some slight ammendments;

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" -out certificate.crt \
    -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA (issuer) certificate:

$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" -out ca-cert.ca \
    -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password \
    pass:PASSWORD -passin pass:PASSWORD -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

Bash:

$ cat "NewKeyFile.key" "certificate.crt" "ca-cert.ca" > PEM.pem

CMD:

$ type "NewKeyFile.key" "certificate.crt" "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in PEM.pem
    -out "NewPKCSWithoutPassphraseFile.p12" -passout pass:
oPless
  • 103
Joe Smith
  • 81
2

My use-case was to remove a password from a .p12 file for fastlane. I tried all the answers from this thread, but then I stumbled upon some blog post that had the answer that worked finally for me.

  1. Import your .p12 file to your Keychain Access. You can do it simply by double-clicking the file. You'll be prompted with the password to the private key. Enter it.

  2. Export this certificate as both .cer and .p12. When prompted for .p12 password, confirm empty text field.

    enter image description here

Albert221
  • 121
2

Now, the private key:

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TemporaryPassword

Remove now the passphrase:

openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

The 2 steps may be replaced by

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -nodes
Andrew Schulman
  • 9,142
kuang
  • 21
1

Here's a pure PowerShell solution that works without OpenSSL:

Install-Module -Name 'Carbon.Cryptography'
$password = Read-Host -AsSecureString
$cert = Get-CCertificate -Path PATH -Password $password -KeyStorageFlags Exportable
[IO.File]::WriteAllBytes(OUT_PATH, $cert.Export('Pfx'))
splattered bits
  • 1,018
0

None of these worked for me. In the end I reverted to dotNet code which worked first time.

class Script
{
    static public void Main(string[] args)
    {
        if (args.Length < 3 || args.Contains("/?"))
        {
            MainHelp(args);
            return;
        }
        string _infile = args[0],
        _outfile = args[2];
        string _password = args[1], _outpassword = (args.Length > 3) ? args[3] : "";

    Console.WriteLine(String.Format(&quot;{0} -&gt; {1} with ({2} -&gt; {3})&quot;, _infile, _outfile, _password, _outpassword));
    System.Security.Cryptography.X509Certificates.X509Certificate2 cert = null;

    Console.WriteLine(String.Format(&quot;Load {0} with {2}&quot;, _infile, _outfile, _password, _outpassword));
    cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(_infile, _password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable);

    Console.WriteLine(String.Format(&quot;Export {1} with {3}&quot;, _infile, _outfile, _password, _outpassword));
    System.IO.File.WriteAllBytes(_outfile, cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx, _outpassword));

    Console.WriteLine(String.Format(&quot;Export complete&quot;, _infile, _outfile, _password, _outpassword));
}

static public void MainHelp(string[] args)
{
    Console.WriteLine(&quot;Usage pfxremovepwd [inpfx] [inpwd] [outpfx] [optional outpwd]&quot;);
    return;
}



}
StackzOfZtuff
  • 2,045
Nick van Esch
  • 121