Re: openssl rsa command

Sun, 09 Dec 2012 17:11:17 -0800

Thanks to Mr. Hohnstaedt and Dr. Henson for answering my questions. It was very useful. 

Alex
On 12/6/2012 4:38 AM, Dr. Stephen Henson wrote:

On Thu, Dec 06, 2012, Christian Hohnstaedt wrote:


On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote:

I am trying to change the password of a private key with 'openssl rsa'
command.  The original key file, server.key.enc has the following format:
-----BEGIN ENCRYPTED PRIVATE KEY-----
....
-----END ENCRYPTED PRIVATE KEY-----

This is a private key in PKCS#8 format.


When I used the command "openssl rsa -in server.key.enc -passin
pass:old_password -out server.key", a new decrypted key file is
generated with the following format:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

But when I use the command "openssl rsa -in server.key.enc -passin
pass:old_password -out server.key -passout pass:new_password", hoping
the new key file will be encrypted with the new password, I still get
the same decrypted key file below
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

You must use one of the -des, -aes128, -aes192, -aes256 options
to get an encrypted RSA key. It then looks like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B9A804CC6B6B2B3B

fpz9643saAI47PWga4Or3xcBY372owuck/9jGO19rBbrfW6NSyUvJevHRWvcHNGM
.....
-----END RSA PRIVATE KEY-----

However, this format is an OpenSSL specific extension.
To get the key in the same format (PKCS#8) as before,
just with a changed password, use:

openssl pkcs8 -topk8 -in server.key.enc -passin pass:old_password \
   -out server.key -passout pass:new_password"


In OpenSSL 1.0.0 and later it's rather easier. You can for example:

openssl pkey -in old.pem -out new.pem -aes256

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to