remove the passphrase from a pkcs12 certificate

PKCS12 defines a file format that contains a private key an a associated certifcate. These files might be used to establish some encrypted data exchange. In the current use case, OpenVPN is used to connect to a remote network. The pkcs12 is being issued by a CA (certificat authority) tool. For security reasons, the private key contained in the pkcs12 is normally protected by a passphrase. This has the downside, that you need to manually type the passphrase whenever you need to establish the connection. But there’s a way to get around this. OpenSSL is a swiss-army-knife toolkit for managing simply everything in the field of keys and certificates. Since it’s a command line tool, you need to understand what you’re doing. So it took me a little to figure out how to remove a passphrase from a given pkcs12 file. Here’s what I’ve done:

openssl pkcs12 -in protected.p12.orig -nodes -out temp.pem
openssl pkcs12 -export -in temp.pem -out unprotected.p12
rm temp.pem

The first command decrypts the original pkcs12 into a temporary pem file. pem is a base64 encoded format. The second command picks this up and constructs a new pkcs12 file. During this, the new passphrase is asked. By simply typing ‘return’ here, it set to nothing. When using unprotected.p12 in the OpenVPN connection, you’re no longer asked for a passphrase.

A word of warning: I do not recommend doing this generally. From my perspective it’s okay, if your unprotected pkcs12 file is protected by other means, e.g. harddisc encryption.

5 replies on “remove the passphrase from a pkcs12 certificate”


PS: The code highlighting system you use is incredibly frustrating — hovering over the first line to copy results in an auto-hidden menu jumping in front and preventing selection.

If I use the “copy” feature of that snippet, line 3 has two strange characters which appear as whitespace but garbles the command – right after “temp.pem”. They’re the “c2 a0” below:

echo “openssl pkcs12 -in protected.p12.orig -nodes -out temp.pem

openssl pkcs12 -export -in temp.pem  -out unprotected.p12

rm temp.pem” | xxd -c 20

00000050: 7274 202d 696e 2074 656d 702e 7065 6dc2 a020 2d6f rt -in temp.pem.. -o
00000064: 7574 2075 6e70 726f 7465 6374 6564 2e70 3132 0a0a ut unprotected.p12..

Leave a Reply

Your email address will not be published. Required fields are marked *