Removing PEM Passphrase in SSL Certificate
Emulab generates an emulab.pem file which is by default encrypted with a PEM passphrase. It consists of two sections: the RSA private key (encrypted) and the certificate. We need to remove the PEM passphrase from the RSA private key for the file to work correctly in Gush.
Here is an example of what emulab.pem looks like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,552F11FEB2C33DB6 KGO5Rj9QcaRD6dfiuTHWnvAcwhER2yknQjUFTkB5/zz1JqMChAkH3q6nwpCehOVF .... aUzRSY3KpBSCoKjpe0dcZkTHPoRqyCmcU75gioSYtbD2wWcvhGFsPA== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDADCCAmkMAiRtMA0GCSqGSIb3DQEBBAUAMIG4MQswCQYDVQQGEwJVUzENMAsG ... i6vWkw== -----END CERTIFICATE-----
Before we proceed, please backup the original emulab.pem.
Open emulab.pem in a text editor and copy the certificate section into a new file called emulab.crt, which looks like this:
-----BEGIN CERTIFICATE----- MIIDADCCAmkMAiRtMA0GCSqGSIb3DQEBBAUAMIG4MQswCQYDVQQGEwJVUzENMAsG ... i6vWkw== -----END CERTIFICATE-----
Next, we need to strip the RSA private key off its passphrase. In the terminal, run
openssl rsa -in emulab.pem -out rsa.key
Now that rsa.key contains no passphrase, we need to combine it with emulab.crt into a new Emulab SSL certificate.
cat rsa.key emulab.crt > emulab.pem
Finally, the passphrase-free emulab.pem can pose a security risk. This is the least we can do:
chmod 400 emulab.pem