How to remove a private key passphrase using OpenSSL

Removing a passphrase from an OpenSSL private key creates an unencrypted copy that a service can read at startup without an operator prompt. That copy is easier to automate but more dangerous to expose, so keep the encrypted source key unchanged until the service, appliance, or certificate workflow has been tested with the new file.

The openssl pkey command reads encrypted or unencrypted private keys and writes a new key file. When an encrypted key is used as input, OpenSSL prompts for the passphrase unless a protected password source is supplied with -passin.

Leaving off an output cipher writes the new private key without passphrase protection. Use a different output filename, restrict the file mode immediately, and avoid putting the passphrase directly on the command line because process listings and shell history can expose it.

Related: How to generate a private key using OpenSSL
Related: How to extract a public key using OpenSSL
Related: How to create a PFX file from PEM certificates using OpenSSL

Steps to remove a private key passphrase using OpenSSL:

  1. Move to the private directory that contains the encrypted key. 
    $ cd ~/tls-keys
  2. Set a restrictive file-creation mask for new key files in this shell session. 
    $ umask 077

    Files created after this command are not readable by group or other users unless a later command changes the mode.

  3. Confirm OpenSSL can read the encrypted source key before creating a new file. 
    $ openssl pkey -in server-encrypted.key -check -noout
Enter pass phrase for server-encrypted.key:
Key is valid
  4. Write an unencrypted copy with a different output filename. 
    $ openssl pkey -in server-encrypted.key -out server-unencrypted.key
Enter pass phrase for server-encrypted.key:

    Do not use the same path for -in and -out. OpenSSL can replace the output file contents while writing, so a failed or interrupted command can damage the only copy of the key.

    For unattended runs, use a protected passphrase source such as -passin file:key.pass instead of putting the passphrase after pass: on the command line.

  5. Restrict the unencrypted private key file. 
    $ chmod 600 server-unencrypted.key
  6. Verify that the new key can be parsed without a passphrase. 
    $ openssl pkey -in server-unencrypted.key -check -noout
Key is valid
  7. Confirm the encrypted source and unencrypted copy are separate restricted files. 
    $ ls -l server-encrypted.key server-unencrypted.key
-rw------- 1 user user 1886 Jun  5 20:41 server-encrypted.key
-rw------- 1 user user 1704 Jun  5 20:41 server-unencrypted.key

    Keep the encrypted source until the target service or appliance has started successfully with the unencrypted copy.