Help Center/ Cloud Certificate Manager/ FAQs/ FAQs/ Certificate Consulting/ Why Is a Non-Password-Protected Private Key Required?
Updated on 2023-12-19 GMT+08:00

Why Is a Non-Password-Protected Private Key Required?

When using your certificate, other services will require its private key from you. If the key is password-protected, the services will fail to use the certificate, which will cause certificate decryption failure and HTTPS failure. Therefore, you need to provide a private key that is not password protected.

When you generate a private key, remove its password protection before uploading the certificate.

How Do I Remove Password Protection for a Private Key?

You can run the following command using OpenSSL to remove password protection for a protected private key:

openssl rsa -in encryedprivate.key -out unencryed.key

encryedprivate.key indicates the private key with password protection. unencryed.key indicates the private key with password protection removed. The extension name can be .key or .pem.

If your certificate uses a private key that is not password protected, the system checks the format of the certificate file when you deploy it on CDN. CDN requires that a certificate file must be encrypted using RSA. That is, the private key of the certificate starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----. If the certificate is not in this format, use a tool to convert the certificate format. For details, see What Are Mainstream Formats of Digital Certificates?

How Do I Determine Whether a Private Key Is Password Protected?

Use the text editor to open a private key file. If the private key file is in the following format, then it is password protected:

  • Password-protected private keys in PKCS#8 format
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    ......BASE64 Private key content......
    -----END ENCRYPTED PRIVATE KEY-----
  • Password-protected private keys in OpenSSL ASN format
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED 
    DEK-Info:DES-EDE3-CBC,4D5D1AF13367D726 
    ......BASE64 Private key content......
    -----END RSA PRIVATE KEY-----

All keys generated using Keytool are protected by passwords. You can convert them into key files that are not password protected. For details, see What Are Mainstream Formats of Digital Certificates?