Article Index:
One way to encrypt your SSL certificate private keys for OpenVPN is to use the “Change Password” command on the OpenVPN GUI’s pop-up menu. That works but is not the ideal way if you are shipping the unecrypted private keys to some user for them to encrypt later on. They might forget to do it!
A better way is to encrypt the private key from the command line immediately after export. Here is the procedure:
- Install OpenSSL on some computer. There are a few ways to install openssl, depending on whether you are using Windows or Linux. If you are doing this on Windows, the easiest thing to do is to download and install either OpenVPN or the OpenVPN GUI, which both include OpenSSL. If you are using Linux, install OpenVPN with your favourite package manager (e.g. apt-get install).
- Either add the OpenVPN binaries folder (e.g. C:\Program Files\OpenVPN\bin) to your system path or
cdto it. Note that the OpenVPN GUI installer should add the folder to your path automatically. - To encrypt the key unencrypted.key and output it to encrypted.key, run this command:
openssl rsa -in unencrypted.key -des3 -out encrypted.key - From completeness sake, to reverse the encryption (not sure why you would want to do that!), run this command:
openssl rsa -in encrypted.key -out unencrypted.key
After encrypting the private key, you can open it in a text editor (or dump it to the console with the cat command) to verify that it is indeed encrypted. An encrypted private key will look something like this:
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AFF0DDC62FCC76DDGfCgk8CsxhFGwdMpB1tyIJTn74z0YFbChN27L/VIHZk
…etc, etc, etc
—–END RSA PRIVATE KEY—–
On the other hand, an unencrypted private key will look something like this:
—–BEGIN RSA PRIVATE KEY—–
MIICXQIBAAKBgQDCALmFYQwKBHJpnlukQFsdqTd95…etc, etc, etc
—–END RSA PRIVATE KEY—–
That’s all for now. Please leave a comment if you found this NerdBoys.com tip useful.
Article Index:
