HTTPS, as you must know uses certificates. And certificates involve a public-private key pair. The private key is what resides at the server side. In most cases, the private key is protected by another layer. This layer involves accessing the private key with the use of a passphrase. The passphrase is used to decrypt the private key.
In short, without this passphrase, you will not be able to verify HTTPS communication, even if you have access to the private key. Lets see how to verify if you have the correct passphrase in an example below!
Step 1 – Generating a private RSA key
First, we generate a private RSA key using the below command.
openssl genrsa -des3 -out mykey.pem
This will generate a new key into the file called mykey.pem. You will be prompted for the passphrase when running this command. By default, the key will be 512 bits long. Each time it will generate a new random key. Below is the key that got generated for me.
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,7EA46E1BF4BDF099 k7JJm7/wLh9dJtMYWdwUAO+Khg3DdlSgX0jU45cuy7r1BDj4p1IoXTeV0d7sz5V9 xY/8VRHIBVUEg7yt+7ygibfiLcwntpRf5Or98hEHb6Ak9D5GxMQJuqLXrsKJpl/z KtOKyz4cv8FZQOXhUnhROb0+DO6qSc+RhB6fL+Ekuu3hmTtG0tKrJtkvbWRUKRXz fPZeSpztQGleII4oIyq/Sh6afFRjS3bWO4sy/aLFdwh485TKyJ+NU8/oHQdbKuUS RgBLZCKx21RISAnB2+iigg80/L8O5X/vSc+TRYWeOd9q0riMtUyp4Y5ujT2+f3sb WXFuApcORWdvrvTtEnqbfv0fh2PNQCTvBWLrqWLgEsw5/ItcXFWfXMURL/6aTe1Q uIy5YCZaLLGC+gZyLNHirTHoMHW4Sjk/K6qhr88TvD9cePvL3v5b7w== -----END RSA PRIVATE KEY-----
A quick glance at the Proc-Type field shows that this key is passphrase-protected. The DEK-Info contains the cipher info which will be used to decrypt this key.
Note: In case we had not used the des3 option, Proc-Type and DEK-Info would have been missing.
Step 2 – Decrypting the private key
Now, we try to access this passphrase-protected private key using the openssl rsa command-line utility. For this, use the below command.
openssl rsa -in mykey.pem
If your private key is passphrase-protected (as is in our case), it will ask you for the passphrase. If you enter the correct one which was used to encrypt this private key, you will get the decrypted private key, otherwise you will get an error. Below is the decrypted key we get upon entering the correct passphrase.
-----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBANhyaRIelfag0zHYkexRA5gTephO+N3MvX4ijkhCVhTLE1qPKkRa Z7u6Q6AA9Xria8w5Sf1nDewHeqwf9d9MjzcCAwEAAQJBAL+Kn8jVIEickcjuqlPC bbfKpRbb7Af8A0T4N4liiuLiIpZdC6vkdUvEEmz64zxX02v0J4UOCWcnDzOpI1ux OoECIQDvAzVjQjawZN2QbD7hLa8wIB4kMSw8fJrgUtuaw2DnhwIhAOfUn9i7MhDJ HE5qNGLFG9tpHpxR3TXypPyuywaIAqbRAiAn2cIaBZ02teqXPOUTCFnwTTqZUDWO 9DuicU46NJ9AmwIhAKQMAlyUAlZ8aSpX3t/xiMfW99E34Kf3HqarbYEep3mxAiEA reEYPggvKvpYT00tme4Mw71HvM5d1abiPThZyso7BPc= -----END RSA PRIVATE KEY-----
And, voila, that is it! There you have your decrypted private key. 🙂