OS4X Core - Extract private certificate & key from password protected certificate

Task

In order to use non-password protected RSA private keys for operations in OFTP2 (i.e. using them in cipher suite variables), you need to eliminate the password from the RSA private key.

Requirements

Either you use the operating system's "openssl" tool, or the one distributed with OS4X ("/opt/os4x/bin/openssl").

You need access to the file containing your private RSA key and public X509 certificate, which is most commonly the OFTP2 TLS server certificate (see "Configuration" -> "TLS" -> "TLS server certificate file").

We assume a configured TLS server certificate filename in this example as:

/opt/os4x/os4x.priv.cer

Extract RSA private key

Extract the RSA private key from the given file, saving it in the temporary file

/tmp/rsa_priv.pem

Command:

openssl rsa -in /opt/os4x/os4x.priv.cer -out /tmp/rsa_priv.tmp

When prompted for a password, please enter the correct password for the RSA private key. If the password is incorrect, an error message will be displayed.

Extract X509 public certificate

From the server certificate, we extract the X509v3 public certificate (and eliminate any unneeded other elements from this file).

Command:

openssl x509 -in /opt/os4x/os4x.priv.cer -out /tmp/x509_pub.tmp

Merge both result files to one resulting file

We create the resulting output file by merging both textual formatted files to one:

Command:

cat /tmp/rsa_priv.tmp /tmp/x509_pub.tmp > /tmp/privcert.pem

The resulting file

/tmp/privcert.pem

can be used for private operations in OFTP2 tasks.

Cleanup

rm /tmp/rsa_priv.tmp /tmp/x509_pub.tmp

Beware that the result file "/tmp/privcert.pem" must be kept secret, since it contains your RSA private key!