Server software requiring PVK


#1

I’ve managed to use the webroot method to generate the certificate chain with no issues. However, I have now hit a snag. I used Apache to allow the ACME verification to take place but the actual software in use on this server is a Windows application running under Mondo. It therefore needs a PVK, rather than PEM, format private key.

I thought that it would be simply a matter of converting the PEM to PVK, but the OpenSSL tool is telling me that I need to provide a pass-phrase. Does the key generated by LetsEncrypt really contain a pass-phrase?


#2

Hello @sebtombs,

Let’s Encrypt privkey.pem has no password at all. I suppose you are converting this pem key to pvk key using something like this:

openssl rsa -in privkey.pem -outform PVK -pvk-strong -out private.pvk
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The Enter PEM pass phrase is asked to password protect the pvk file, is not requesting the password for Let’s Encrypt privkey.pem.

If the privkey.pem is password protected you should see something like this:

openssl rsa -in privkey.pem -outform PVK -pvk-strong -out private.pvk
Enter pass phrase for privkey.pem:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Cheers,
sahsanu


#3

Thanks sahsanu, much appreciated, and my apologies for the delay in replying.

Its interesting that it appears that OpenSSL has supported PVK since version 0.9.9 but there is still no mention of it in the man pages for the rsa command.

Is there no way of converting from PEM to PVK without giving the PVK a pass-phrase? Unfortunately, the software I need the key for has no instructions for use of a pass-phrase - it may be supported, but I would have to work out how.

I’d guessed that not using pvk-strong may avoid the pass-phrase, but apparently not.

All the best,

sebtombs


#4

Hello @sebtombs,

As far as I know it is not possible to specify an empty password using openssl. Using pvktool for Windows allows an empty password, maybe you could try it.

The web page is http://www.drh-consultancy.demon.co.uk/pvk.html and the direct link to the tool is http://www.drh-consultancy.demon.co.uk/pvktool.zip

You should use it like this:

C:\test\pvktool>pvk.exe -in privkey.pem -out privkey.pvk -topvk -strong
Enter Password:      <--- Here just press enter
Verifying - Enter Password:    <--- Again, just press enter

I’ve never used pvk format so don’t know whether this will work with your application.

Good luck,
sahsanu


#5

In the source code for rsa, I found the option -pvk-none… Perhaps that switch bypasses the password thingy?


#6

Good catch ;), yes, seems that it creates the pvk file without prompting for password.

$ openssl rsa -in privkey.pem -outform PVK -out private.pvk -pvk-none
writing RSA key
$

Thank you @Osiris.

Cheers,
sahsanu


#7

For lack of good documentation, go back to the source, literally :wink:


#8

Thank you Osiris, I will have a good look at the source to see what else (if anything!) is different between -pvk-strong and -pvk-none apart from the use of the pass-phase.

All the best,

sebtombs