How to Decrypt an RSA Private Key Using OpenSSL on NetScaler

How to Decrypt an RSA Private Key Using OpenSSL on NetScaler

book

Article ID: CTX122930

calendar_today

Updated On:

Description

Citrix Gateway, formerly Citrix NetScaler Unified Gateway

This article describes how to decrypt private key using OpenSSL on NetScaler.

Background

When a private key is encrypted with a passphrase, you must decrypt the key to use it to decrypt the SSL traffic in a network protocol analyzer such as Wireshark.

To identify whether a private key is encrypted or not, view the key using a text editor or command line. If it is encrypted, then the text ENCRYPTED appears in the first line. 

Example:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,84E01D31C0A59D1F

Instructions

You can use any of the following procedure to decrypt the private key using OpenSSL:

Decrypting the Private Key from the Command Line Interface

To decrypt the private key from the command line interface, complete the following procedure:

  1. Log on to the NetScaler Appliance through Putty or any SSH client (which can be downloaded from internet). Open the shell prompt on the appliance:
    > shell
    Copyright (c) 1992-2013 The FreeBSD Project.
    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
    The Regents of the University of California. All rights reserved.
    root@abc#

  2. Run the following command to open the /nsconfig/ssl directory where the Keys, CSR, and Certificates are stored:
    cd /nsconfig/ssl

  3. Run the following command to decrypt the private key:
    openssl rsa -in <Encrypted key filename>  -out < desired output file name>

    Example:
    openssl rsa -in enc.key -out dec.key
    Enter pass phrase for enc.key:      -> Enter password and hit return
    writing RSA key
    #cat dec.key
    -----BEGIN RSA PRIVATE KEY-----
    MIIBOgIBAAJBAMSREjcq8SgzJmMcmObnMMHLYOdslNFwJImuMDG+L/ED5qOJ/oah
    --
    --
    -----END RSA PRIVATE KEY-----
    root@NS_1#

    Note that, it does not state ENCRYPTED anymore.
    User-added image

Decrypting the Private Key from the Graphical User Interface

To decrypt the private key from the Graphical User Interface (GUI), complete the following procedure:

  1. Select the SSL node from the Configuration utility.

  2. Click the OpenSSL interface link, as shown in the following screen shot:

    User-added image

    An OpenSSL Interface Window appears, as shown in the following screen shot:

    User-added image

  3. Enter the password for the key <PEM passphrase> that you have entered while creating the key.

    User-added image

  4. Run the following command to verify the RSA key:
    rsa -in /nsconfig/ssl/<decrypted keyname> -check

    User-added image

    User-added image

Issue/Introduction

This article describes how to decrypt private key using OpenSSL on NetScaler.
Powered by Wolken Software