All Products
Search
Document Center

Keys without password protection

Last Updated: Jun 04, 2021

Overview

This article describes password-protected keys and how to remove the password protection of a key.

Solutions

To use SSL certificates for your Alibaba Cloud services, you need to provide the keys of the certificates. If the keys are protected by passwords, the services cannot use the keys when the services load the certificates. As a result, the certificates cannot be decrypted, and the HTTPS service becomes invalid. To address this issue, you must provide a key without password protection and the certificate file that corresponds to the key. For information about keys, see What is a public key and a private key?

Formats of password-protected keys

The following sections describe the keys that are protected by passwords and are in the formats of Public-Key Cryptography Standards (PKCS) #8 and OpenSSL Abstract Syntax Notation (ASN).

Note: The key generated by using keytool is automatically protected by a password. You can convert the key into a key without a password. For more information about conversion methods, see What formats are used for mainstream digital certificates?

Keys in the PKCS #8 format

Format of the PKCS #8 keys that are protected by passwords:

-----BEGIN ENCRYPTED PRIVATE KEY-----
......BASE64 [$Context]......
-----END ENCRYPTED PRIVATE KEY-----

Note: [$Context] indicates the content of the key.

Keys in the OpenSSL ASN format

Format of the OpenSSL ASN keys that are protected by passwords:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info:DES-EDE3-CBC,4D5D1AF13367D726
......BASE64 [$Context]......
-----END RSA PRIVATE KEY-----

Remove the password protection of a key

  1. If your key is protected by a password, create a file for the key from which you want to remove password protection.
  2. Run the following command in the directory in which the key file is stored to remove password protection:
    openssl rsa -in [$Encryedprivate_Key] -out [$Unencryed_Key]
    Note:
    • [$Encryedprivate_Key] indicates the file for the key that is protected by a password.
    • [$Unencryed_Key] indicates the file for the key from which you want to remove password protection. The file name extension is .key or .pem.

Application scope

  • SSL Certificates Service