56
  1. I extracted certificate using Chrome's SSL/export command.
  2. Then provided it as input to openvpn - in the config for openvpn:
    pkcs12 "path/to/pkcs12_container"
  3. When calling openvpn ~/openvp_config it asks for a password for private key (wich I entered when exporting using Chrome):
    Enter Private Key Password:...
  4. I want to remove this password request.

The question: how to remove the password for private key from pkcs12?

That is, create pkcs12 file which doesn't require a password.

(seems that I already somehow did this a year ago, and now forgot it.damn.)

Improve this question
1

8 Answers 8

Reset to default
72

It can be achieved by various openssl calls.

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -legacy -in "YourPKCSFile" \
      -out certificate.crt -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA key:

$ openssl pkcs12 -cacerts -nokeys -legacy -in "YourPKCSFile" \
      -out ca-cert.ca -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -legacy -in "YourPKCSFile" \
      -out private.key -password pass:PASSWORD -passin pass:PASSWORD \
      -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -legacy -in private.key -out "NewKeyFile.key" \
      -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

$ cat "NewKeyFile.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NewPKCSWithoutPassphraseFile"

Now you have a new PKCS12 key file without passphrase on the private key part.

Improve this answer
6
  • awesome answer! ..what is ca-cert.ca?
    – Ayrat
    Jun 14, 2013 at 14:05
  • @Ayrat: This is the CA certificate part of your key. -- I have a typo in the answer, correcting... -- feel free to upvote and accept the answer after you tried it :-)
    – zero0
    Jun 14, 2013 at 14:06
  • 7
    -nodes is ignored when -export is used, it's not documented for this case (see openssl man page, -nodes is only listed when exporting from PKCS#12 to PEM). Your last call still prompts me for an export password. And If I just hit return, I get a PKCS#12 file whose password is an empty string and not one without a password. When I then do openssl pkcs12 -in "NewPKCSWithoutPassphraseFile" it still prompts me for an import password. I can just hit return and that works but if there was no password, it wouldn't even prompt.
    – Mecki
    Nov 28, 2018 at 15:56
  • At the first step I get Error outputting keys and certificates 4017F33E857F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () . Any ideas?
    – pihentagy
    Dec 2, 2022 at 10:31
  • @pihentagy: recent OpenSSL (3.0.0 up, since 2021 which is 8 years after this A) by default doesn't support the now-obsolete algorithm RC2-40 which was used in most PKCS12 files before about 2020 and still by some software that hasn't been updated; to read such a file you need to add -legacy.
    – dave_thompson_085
    Jul 30 at 23:54
55

The simplest solution I've found is

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem
Improve this answer
6
  • 1
    I don't see a downside to this approach.
    – Matt Beckman
    Oct 31, 2014 at 22:31
  • Some tools require a password. For example keytool -v -list -storetype pkcs12 -keystore unprotected.p12 will emit a warning and will NOT list the certificate. So it may work for OpenVPN, but not for something else.
    – mivk
    Nov 18, 2015 at 13:29
  • 1
    @Koen : yes. Apparently, keytool (and probably other Java applications?) refuses to list certs in a pkcs12 container which was created with an empty export password. But I understand that OpenVPN doesn't care. So it just means: if you made it with an empty password, check that it actually works in your application.
    – mivk
    Nov 19, 2015 at 12:30
  • 1
    Sure, but the question is about removing the password, not about applications that require a password to be set.
    – Koen.
    Nov 19, 2015 at 12:43
  • 8
    Your solution doesn't create a PKCS#12 w/o a password but one with a password that is "" (emtpy string), which is not the same.
    – Mecki
    Nov 28, 2018 at 15:58
11

This can easily be done in one step with no temporary file:

openssl pkcs12 -in "PKCSFile" -nodes | openssl pkcs12 -export -out "PKCSFile-Nopass"

Answer the Import Password prompt with the password. Answer the Export Passowrd prompts with <CR>

Done.

Note that this handles any number of intermediate certificates that may be in the bundle...

I strongly recommend taking care with the resulting file; it would be a good idea to set umask to 377 first (non-unix: this means only owner can read file that's created.) I suppose that's 2 steps, if your default umask is permissive...

Improve this answer
3
  • I see: 'Enter Import Password:' and 'MAC verified OK' but then 'unable to load certificates'. This is an Apple p12 file - maybe they're different.
    – Tim Baverstock
    Aug 10, 2022 at 11:06
  • This creates a P12 with EMPTY password which is not the same as NO password. And if only works if the input file has the key bag before the cert bag, which varies depending on what sw created it and how; otherwise you get the error @TimBaverstock did.
    – dave_thompson_085
    Oct 29, 2022 at 0:23
  • 1
    If you're using openssl 3 or above and you find problems, you may have to add the -legacy flag at the first command as stated here: stackoverflow.com/a/72600724/955619
    – Caumons
    Mar 3 at 14:17
2

Now, the private key:

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TemporaryPassword

Remove now the passphrase:

openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

The 2 steps may be replaced by

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -nodes
Improve this answer
2

My use-case was to remove a password from a .p12 file for fastlane. I tried all the answers from this thread, but then I stumbled upon some blog post that had the answer that worked finally for me.

  1. Import your .p12 file to your Keychain Access. You can do it simply by double-clicking the file. You'll be prompted with the password to the private key. Enter it.

  2. Export this certificate as both .cer and .p12. When prompted for .p12 password, confirm empty text field.

    enter image description here

Improve this answer
2

Unfortunately none of the answers posted thus far are correct, as they just supply a blank password as opposed to no password, which means that you will still get prompted for a password in the first place.

For the sake of keeping everything together in one place, I'll copy @slm's post with some slight ammendments;

  • PASSWORD is your current password
  • YourPKCSFile is the file you want to convert
  • NewPKCSWithoutPassphraseFile is the target file for the PKCS12 without passphrase

First, extract the certificate:

$ openssl pkcs12 -clcerts -nokeys -in "YourPKCSFile" -out certificate.crt \
    -password pass:PASSWORD -passin pass:PASSWORD

Second, the CA (issuer) certificate:

$ openssl pkcs12 -cacerts -nokeys -in "YourPKCSFile" -out ca-cert.ca \
    -password pass:PASSWORD -passin pass:PASSWORD

Now, the private key:

$ openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password \
    pass:PASSWORD -passin pass:PASSWORD -passout pass:TemporaryPassword

Now remove the passphrase:

$ openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

Put things together for the new PKCS-File:

Bash:

$ cat "NewKeyFile.key" "certificate.crt" "ca-cert.ca" > PEM.pem

CMD:

$ type "NewKeyFile.key" "certificate.crt" "ca-cert.ca" > PEM.pem

And create the new file:

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in PEM.pem
    -out "NewPKCSWithoutPassphraseFile.p12" -passout pass:
Improve this answer
1
  • 1
    This avoids the prompting but it still uses an empty password.; the way to have NO password is -certpbe NONE -keypbe NONE -nomac. As already noted you can use -nodes on step 3 and skip step 4; you can also combine steps 1 and 2 as pkcs12 -nokeys >bothcerts and then just do pkcs12 -export -in bothcerts -inkey key without needing either cat or type to combine the files.
    – dave_thompson_085
    Oct 29, 2022 at 0:34
0

None of these worked for me. In the end I reverted to dotNet code which worked first time.

class Script
{
    static public void Main(string[] args)
    {
                if (args.Length < 3 || args.Contains("/?"))
                {
                    MainHelp(args);
                    return;
                }
       string _infile = args[0],
                        _outfile = args[2];
                string _password = args[1], _outpassword = (args.Length > 3) ? args[3] : "";
                Console.WriteLine(String.Format("{0} -> {1} with ({2} -> {3})", _infile, _outfile, _password, _outpassword));
                System.Security.Cryptography.X509Certificates.X509Certificate2 cert = null;
                Console.WriteLine(String.Format("Load {0} with {2}", _infile, _outfile, _password, _outpassword));
                cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(_infile, _password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable);
                Console.WriteLine(String.Format("Export {1} with {3}", _infile, _outfile, _password, _outpassword));
                System.IO.File.WriteAllBytes(_outfile, cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx, _outpassword));
                Console.WriteLine(String.Format("Export complete", _infile, _outfile, _password, _outpassword));
    }

     static public void MainHelp(string[] args)
    {
            Console.WriteLine("Usage pfxremovepwd [inpfx] [inpwd] [outpfx] [optional outpwd]");
            return;
    }
}
Improve this answer
0

Here's a pure PowerShell solution that works without OpenSSL:

Install-Module -Name 'Carbon.Cryptography'
$password = Read-Host -AsSecureString
$cert = Get-CCertificate -Path PATH -Password $password -KeyStorageFlags Exportable
[IO.File]::WriteAllBytes(OUT_PATH, $cert.Export('Pfx'))
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .