How to find whether private key is encrypted or non-encrypted?
A: When the private key file is opened in a notepad, if the first and last line has "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----" this is an encrypted private key with passphrase. Whereas for an non-encrypted private key first and last line will be "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----".
What is a private key passphrase?
A: The passphrase is just a key/password characters used to encrypt the private key file that contains the RSA key, using a symmetric cipher (usually DES or 3DES).
Can I import an encrypted private key without a passphrase?
A: No, an encrypted private key requires exact match of passphrase to import successfully.
List of supported characters in passphrase:
List of un-supported characters in passphrase:
|`||Grave accent (backtick)|
What happens if an unsupported character is used in passphrase and attempted to import the certificate?
A: If an unsupported character is used in the passphrase, below is the error message displayed while uploading the certificate.
How to convert an encrypted private key (with unsupported character) to un-encrypted private key file?
A: If we import a certificate file (in PEM format with unsupported character as passphrase), upload will fail with the above mentioned error message. Hence we need to convert the encrypted private key to an unencrypted private key. Below are the steps to extract private key separately, convert and re-arrange the certificate with unencrypted key for windows machine.
- Open the PEM format certificate file which has private key and the complete certificate chain in notepad.
- CUT/COPY the private key part with starts from "-----BEGIN ENCRYPTED PRIVATE KEY-----" and end as "-----END ENCRYPTED PRIVATE KEY-----".
- Open another notepad, PASTE the content and save the file locally with '.pem' as extension.
- Download OpenSSL for windows and follow the instruction to how to install.
- Open command prompt and navigate to location where 'openssl.exe' file is located (default location is under C:\Openssl\bin\).
- Execute the below command to convert:
>openssl.exe rsa -in <Traditional PEM Key Filename> -out <Unencrypted Key Filename>
- Once the command is executed, option to enter passphrase will be promoted. Enter the passphrase (same passphrase when creating the CSR).
- If the convection is successful, no error will be displayed under 'writing RSA Key'
- Open the unencrypted key file, copy the complete contact (Starts with 'BEGIN RSA PRIVATE KEY' and ends with 'END RSA PRIVATE KEY') and replace the private key part in the PEM formatted certificate file (Replace the content which starts from 'BEGIN ENCRYPTED PRIVATE KEY' and ends with 'BEGIN ENCRYPTED PRIVATE KEY')
- Save the file and attempt to import with out any passphrase.
What is the certificate format is imported with PKCS#12. Will I get the same error?
A: Yes, the same error message will be displayed as the private key will be in PKCS#8 within PKCS#12.