HTTPS Certificates and Passphrase

HTTPS, as you must know uses certificates. And certificates involve a public-private key pair. The private key is what resides at the server side. In most cases, the private key is protected by another layer. This layer involves accessing the private key with the use of a passphrase. The passphrase is used to decrypt the private key.

In short, without this passphrase, you will not be able to verify HTTPS communication, even if you have access to the private key. Lets see how to verify if you have the correct passphrase in an example below!

Step 1 – Generating a private RSA key

First, we generate a private RSA key using the below command.

openssl genrsa -des3 -out mykey.pem

This will generate a new key into the file called mykey.pem. You will be prompted for the passphrase when running this command. By default, the key will be 512 bits long. Each time it will generate a new random key. Below is the key that got generated for me.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7EA46E1BF4BDF099

k7JJm7/wLh9dJtMYWdwUAO+Khg3DdlSgX0jU45cuy7r1BDj4p1IoXTeV0d7sz5V9
xY/8VRHIBVUEg7yt+7ygibfiLcwntpRf5Or98hEHb6Ak9D5GxMQJuqLXrsKJpl/z
KtOKyz4cv8FZQOXhUnhROb0+DO6qSc+RhB6fL+Ekuu3hmTtG0tKrJtkvbWRUKRXz
fPZeSpztQGleII4oIyq/Sh6afFRjS3bWO4sy/aLFdwh485TKyJ+NU8/oHQdbKuUS
RgBLZCKx21RISAnB2+iigg80/L8O5X/vSc+TRYWeOd9q0riMtUyp4Y5ujT2+f3sb
WXFuApcORWdvrvTtEnqbfv0fh2PNQCTvBWLrqWLgEsw5/ItcXFWfXMURL/6aTe1Q
uIy5YCZaLLGC+gZyLNHirTHoMHW4Sjk/K6qhr88TvD9cePvL3v5b7w==
-----END RSA PRIVATE KEY-----

A quick glance at the Proc-Type field shows that this key is passphrase-protected. The DEK-Info contains the cipher info which will be used to decrypt this key.

Note: In case we had not used the des3 option, Proc-Type and DEK-Info would have been missing.

Step 2 – Decrypting the private key

Now, we try to access this passphrase-protected private key using the openssl rsa command-line utility. For this, use the below command.

openssl rsa -in mykey.pem

If your private key is passphrase-protected (as is in our case), it will ask you for the passphrase. If you enter the correct one which was used to encrypt this private key, you will get the decrypted private key, otherwise you will get an error. Below is the decrypted key we get upon entering the correct passphrase.

-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBANhyaRIelfag0zHYkexRA5gTephO+N3MvX4ijkhCVhTLE1qPKkRa
Z7u6Q6AA9Xria8w5Sf1nDewHeqwf9d9MjzcCAwEAAQJBAL+Kn8jVIEickcjuqlPC
bbfKpRbb7Af8A0T4N4liiuLiIpZdC6vkdUvEEmz64zxX02v0J4UOCWcnDzOpI1ux
OoECIQDvAzVjQjawZN2QbD7hLa8wIB4kMSw8fJrgUtuaw2DnhwIhAOfUn9i7MhDJ
HE5qNGLFG9tpHpxR3TXypPyuywaIAqbRAiAn2cIaBZ02teqXPOUTCFnwTTqZUDWO
9DuicU46NJ9AmwIhAKQMAlyUAlZ8aSpX3t/xiMfW99E34Kf3HqarbYEep3mxAiEA
reEYPggvKvpYT00tme4Mw71HvM5d1abiPThZyso7BPc=
-----END RSA PRIVATE KEY-----

And, voila, that is it! There you have your decrypted private key. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s