1

I have a private key for SSL certificate that I need to send to another person to install it in their server. How do I encrypt it before sending? I use PuTTY. Can I simply load the raw key in PuTTY and then go to Conversions > Export OpenSSH key and provide a passphrase? Is that how I encrypt it?

Is there another way to do this with linux command?

user1448031
  • 111
  • 2
  • This looks like a duplicate of [Can I add a password to an existing private key?](https://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key) – forest Dec 07 '17 at 02:15
  • 1
    SSH and SSL/TLS keys are not the same thing! They may have the same kind of data (an RSA or ECC private key, for example) and both can be protected with a passphrase (which encrypts the key, though you shouldn't rely too heavily on that unless the passphrase is very strong), but they are not formatted the same way for storage or transmission. – CBHacking Dec 07 '17 at 10:16
  • How do you intend to send them the password? – Hector Dec 07 '17 at 13:45

2 Answers2

4

This is the wrong approach. Rather than attempting to encrypt private key, let the user of the key generate their own private key and give you the CSR, this massively simplifies key management.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Would this also work for wildcard SSL if I have the main domain with one host and have multiple subdomains across different hosts? I thought wildcard SSL only needs a single private key. Correct me if I'm wrong. – user1448031 Dec 07 '17 at 03:27
  • 2
    @user1448031 - so you are trying to say you have a wildcard certificate issued by a CA that you want to send to someone that manages one of your subdomains? I.e. you are not generating certificates yourself. – Hector Dec 07 '17 at 13:45
  • @Hector Yes that's correct. – user1448031 Dec 07 '17 at 21:48
0

The question says that you use PuTTY, so I believe you have SSH access to the server. If that is the case, you already have a secure, encrypted connection to the server. Adding a password on the key is redundant.

For the sake of completeness, here is the command you can use to transmit a key with a Let’s Encrypt-issued certificate to a remote server over SSH:

scp -r /etc/letsencrypt/live/example.org/ root@example.org:~/
Ankit Pati
  • 1
  • 1