How to Remove Private Key Password from PKCS12 Container for OpenVPN Configuration


2 views

When exporting certificates from Chrome's SSL manager, the PKCS12 container (.p12/.pfx) typically comes with password protection for the private key. While this enhances security, it becomes problematic when automating OpenVPN connections where manual password entry isn't feasible.

Before proceeding, ensure you have:

  • OpenSSL installed (version 1.1.1 or newer recommended)
  • The original PKCS12 file exported from Chrome
  • The current password for the PKCS12 container

Here's how to create a password-less PKCS12 file:

# First extract the private key (will prompt for original password)
openssl pkcs12 -in original.p12 -nocerts -out privatekey.pem -nodes

# Extract the certificate (will prompt again)
openssl pkcs12 -in original.p12 -clcerts -nokeys -out certificate.pem

# Create new PKCS12 without password protection
openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out passwordless.p12 -passout pass:

Confirm the new file doesn't require a password:

openssl pkcs12 -info -in passwordless.p12 -noout -passin pass:

Update your OpenVPN config to use the new file:

pkcs12 /path/to/passwordless.p12

Be aware that removing password protection:

  • Reduces security as the private key isn't encrypted
  • Should only be done when absolutely necessary
  • Requires strict file permissions (chmod 600 recommended)

For better security, consider using weaker encryption instead of no password:

openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out weaker.p12 -passout pass:weakpassword -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1

When working with PKCS12 containers for OpenVPN authentication, you'll often encounter the private key password prompt during connection establishment. This becomes particularly annoying in automated deployment scenarios where manual password entry breaks the workflow.

The solution lies in using OpenSSL to recreate the PKCS12 container without password protection. Here's the step-by-step process:

# First extract the certificate and private key
openssl pkcs12 -in your_cert.p12 -clcerts -nokeys -out certificate.crt
openssl pkcs12 -in your_cert.p12 -nocerts -out privatekey.pem

# Remove password from private key
openssl rsa -in privatekey.pem -out privatekey-nopass.pem

# Recreate PKCS12 without password
openssl pkcs12 -export -in certificate.crt -inkey privatekey-nopass.pem -out final-nopass.p12 -passout pass:

You can verify the password-less PKCS12 file works by:

openssl pkcs12 -info -in final-nopass.p12 -noout -passin pass:

This should show the certificate information without prompting for a password.

Update your OpenVPN configuration to use the new file:

pkcs12 "path/to/final-nopass.p12"

The connection should now establish without password prompts.

Before implementing this solution, consider that removing password protection reduces security. Only use this approach in controlled environments where the PKCS12 file is properly secured through other means (filesystem permissions, encrypted volumes, etc.). For production systems, consider alternative authentication methods.

For frequent usage, here's a bash script to automate the process:

#!/bin/bash
INPUT_P12=$1
OUTPUT_P12=$2

if [ -z "$INPUT_P12" ] || [ -z "$OUTPUT_P12" ]; then
    echo "Usage: $0 <input.p12> <output.p12>"
    exit 1
fi

# Temporary files
CERT_FILE=$(mktemp)
KEY_FILE=$(mktemp)

# Extract components
openssl pkcs12 -in "$INPUT_P12" -clcerts -nokeys -out "$CERT_FILE"
openssl pkcs12 -in "$INPUT_P12" -nocerts -out "$KEY_FILE" -passin pass:"$PASSWORD"
openssl rsa -in "$KEY_FILE" -out "$KEY_FILE"

# Create new PKCS12
openssl pkcs12 -export -in "$CERT_FILE" -inkey "$KEY_FILE" -out "$OUTPUT_P12" -passout pass:

# Cleanup
rm "$CERT_FILE" "$KEY_FILE"

echo "Created password-less PKCS12 file at $OUTPUT_P12"