howtos:encrypt_a_private

If you have a private key that is not encrypted (for example, it was created with the “-nodes” command line option), you can encrypt the private key with a password. A typical openssl command and resulting interactive session is shown here:

  > openssl rsa -des3 -in hostkeyNOPASSWORD.pem -out hostkeySECURE.pem
  writing RSA key
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  >

Here's an explanation of the command line options:

-des3 - encrypt the private key with the triple DES cipher before outputting it. The passphrase you enter must be at least four characters long.
-in hostkeyNOPASSWORD.pem - read in the unencrypted private key from the file hostkeyNOPASSWORD.pem.
-out hostkeySECURE.pem - write out the encrypted private key to the file hostkeySECURE.pem.