On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote:
> I am trying to change the password of a private key with 'openssl rsa'
> command. The original key file, server.key.enc has the following format:
> -----BEGIN ENCRYPTED PRIVATE KEY-----
> ....
> -----END ENCRYPTED PRIVATE KEY-----
This is a private key in PKCS#8 format.
>
> When I used the command "openssl rsa -in server.key.enc -passin
> pass:old_password -out server.key", a new decrypted key file is
> generated with the following format:
> -----BEGIN RSA PRIVATE KEY-----
> ...
> -----END RSA PRIVATE KEY-----
>
> But when I use the command "openssl rsa -in server.key.enc -passin
> pass:old_password -out server.key -passout pass:new_password", hoping
> the new key file will be encrypted with the new password, I still get
> the same decrypted key file below
> -----BEGIN RSA PRIVATE KEY-----
> ...
> -----END RSA PRIVATE KEY-----
You must use one of the -des, -aes128, -aes192, -aes256 options
to get an encrypted RSA key. It then looks like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B9A804CC6B6B2B3B
fpz9643saAI47PWga4Or3xcBY372owuck/9jGO19rBbrfW6NSyUvJevHRWvcHNGM
.....
-----END RSA PRIVATE KEY-----
However, this format is an OpenSSL specific extension.
To get the key in the same format (PKCS#8) as before,
just with a changed password, use:
openssl pkcs8 -topk8 -in server.key.enc -passin pass:old_password \
-out server.key -passout pass:new_password"
Cheers
Christian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
