Private key is normally encrypted and protected with a passphrase or password before the private key is transmitted or sent. When you receive an encrypted private key, you must decrypt the private key in order to use the private key together with the public server certificate to install and set up a working SSL, or to use the private key to decrypt the SSL traffic in a network protocol analyzer such as Wireshark.

To identify whether a private key is encrypted or not, open the private key in any text editor such as Notepad or Notepad++. An encrypted key has the first few lines that similar to the following, with the ENCRYPTED word:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,AB8E2B5B2D989271273F6730B6F9C687

……………………………………………….
……………………………………………….
………………………………………
—–END RSA PRIVATE KEY—–

On the other hand, an unecrypted key will have the following format:

—–BEGIN RSA PRIVATE KEY—–
………………………………………..
………………………………………..
…………………………………..
—–END RSA PRIVATE KEY—–

Encrypted key cannot be used directly in applications in most scenario. It must be decrypted first.

OpenSSL in Linux is the easiest way to decrypt an encrypted private key. Use the following command to decrypt an encrypted RSA key:

openssl rsa -in ssl.key.secure -out ssl.key

Make sure to replace the “server.key.secure” with the filename of your encrypted key, and “server.key” with the file name that you want for your encrypted output key file.

If the encrypted key is protected by a passphrase or password, enter the pass phrase when prompted.

Once done, you will notice that the ENCRYPTED wording in the file has gone.

Decrypted Encrypted Private Key

Note
You can’t really tell whether a key is encrypted or decrypted through the file extension, which can be set to any of .pem, .cer, .crt, .der or .key.
Tip
A private key or public certificate can be encoded in X.509 binary DEF form or Base64-encoded. The only way to tell whether it’s in binary or Base64 encoding format is by opening up the file in a text editor, where Base64- encoded will be readable ASCII, and normally have BEGIN and END lines.

If a private key or public certificate is in binary format, you can’t simply just decrypt it. To convert from X.509 DER binary format to PEM format, use the following commands:

For public certificate (replace server.crt and server.crt.pem with the actual file names):

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For private key (replace server.key and server.key.pem with the actual file names):

openssl rsa -inform DER -outform PEM -in server.key -out server.key.pem
Tip
Sometimes, a PEM file (not necessary in this extension) may is already in unencrypted format, or contain both the certificate and private key in one file. Use the following command to create non-strict certificate and/or private key in PEM format:

For public certificate (replace server.crt and server.crt.pem with the actual file names):

openssl x509 -inform PEM -in server.crt > server.crt.pem

For private key (replace server.key and server.key.pem with the actual file names):

openssl rsa -in server.key -text > server.key.pem