This article explains how to use OpenSSL to decrypt a keyfile that was encrypted by a password.

Background

On NetScaler, when creating an RSA Key, you can change the PEM Encoding Algorithm to DES3 and enter a permanent Passphrase. This encrypts the keyfile and protects it with a password or pass phrase.

Instructions

Overview diagram of verifying the keyfile encryption password

Complete the following procedure to verify the keyfile encryption password:

1. If you do not know the name of the keyfile, then navigate to NetScaler > Traffic Management > SSL > SSL Certificates, click the i (information icon) next to the certificate.

   

   • The Key File Name field indicates the name of the Key File.

     

2. SSH to NetScaler using PuTTY, run shell, and change the directory to /nsconfig/ssl.

   

3. View the contents of the keyfile by running cat <KeyFileName>. For example, run cat wildcard-2018.key.

   

4. At the top of the file, if you see Proc-Type: 4, ENCRYPTED, then your keyfile is encrypted (password protected).

   

   • If you do not see ENCRYPTED near the top, then your keyfile is not password protected.

     

5. Try decrypting the key with OpenSSL by running: openssl rsa -in MyKeyfile.key and type in the password or pass phrase.

   

6. If you typed in the correct password, then you’ll see the decrypted key file.

   

• If you typed in the wrong password, then you will see unable to load Private Key.

  

The OpenSSL tool used in this article is available on most Linux and Unix workstations, as well as on NetScaler Shell. OpenSSL can also be downloaded for Windows users.