By default, ssl certificates are created using a password. For example, OpenVPN keys (.p12 files) always have a passphrase in them.
However, when automating connections, such as ensuring an OpenVPN connection is created on boot, requires the private key passphrase to be removed.
I got tired of the almost 10 commands to do this, so I wrote the following Perl script. If you don't want to run a Perl script, simply copy/paste the commands (it is just a list of commands to run).
This should be executed as:
removeP12Passphrase.pl /full/path/to/key.p12 'passphrase'
The original encrypted key will be stoed as key.p12.save, then the key will be removed. It will ask for a passphrase two times, and just pressing Enter will give it a blank passphrase.
NOTE: if you enter a passphrase, it will simply encrypt it with the new one.
#! /usr/bin/perl -w use Cwd 'abs_path'; my $keyfile = shift; my $passphrase = shift; $keyfile = abs_path( $keyfile ); die "the first parameter should be the full path to your p12 file" unless -e $keyfile; die "the second parameter should be the password to your p12 file" unless $passphrase; sub runCommand { my $command = shift; qx/$command/; if ($? == -1) { die "$command\nfailed to execute: $!\n"; } elsif ($? & 127) { die sprintf( "$command\n died with signal %d, %s coredump\n", ($? & 127), ($? & 128) ? 'with' : 'without' ); } else { die sprintf( "$command\n exited with value %d\n", $? >> 8) if $? >> 8; } } chdir '/tmp'; &runCommand( "cp '$keyfile' '$keyfile.save'" ); &runCommand( "openssl pkcs12 -clcerts -nokeys -in '$keyfile' -out certificate.crt -password pass:'$passphrase' -passin pas:'$passphrase'" ); &runCommand( "openssl pkcs12 -cacerts -nokeys -in '$keyfile' -out ca-cert.ca -password pass:'$passphrase' -passin pass:'$passphrase'" ); &runCommand( "openssl pkcs12 -nocerts -in '$keyfile' -out private.key -password pass:'$passphrase' -passin pass:'$passphrase' -passout pass:joe" ); &runCommand( "openssl rsa -in private.key -out 'NewKeyFile.key' -passin pass:joe" ); &runCommand( "cat 'NewKeyFile.key' > PEM.pem" ); &runCommand( "cat 'certificate.crt' >> PEM.pem" ); &runCommand( "cat 'ca-cert.ca' >> PEM.pem" ); &runCommand( "openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in PEM.pem -out '$keyfile'" ); 1;