If you have a private key that is not encrypted (for example, it was created with the “-nodes” command line option), you can encrypt the private key with a password. A typical openssl command and resulting interactive session is shown here:
> openssl rsa -des3 -in hostkeyNOPASSWORD.pem -out hostkeySECURE.pem writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: >
Here's an explanation of the command line options:
- -des3 - encrypt the private key with the triple DES cipher before outputting it. The passphrase you enter must be at least four characters long.
- -in hostkeyNOPASSWORD.pem - read in the unencrypted private key from the file hostkeyNOPASSWORD.pem.
- -out hostkeySECURE.pem - write out the encrypted private key to the file hostkeySECURE.pem.