Removing Password from Rsa Private Key

How do I remove the passphrase for the SSH key without having to create a new key?

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

removing password from rsa private key

I'm not sure what's going on here; I've tried your code and it gives the same issue, so I've generated a key myself:

openssl genrsa -des3 -out des3.rsa

Then copied the contents into this script:

$out_key_file = 'des3nopass.rsa';

$key = <<<EOS
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5F2FDB4C8F710F92

pkaBIMCdnvrejw6egagg/lGrrGJWLsceDkC0KSdouRfR8LhQS/XjSJ/Wqrj7fa36
xXRd/USBebgy2hLAi9RMPofOjlcUyUVvZZgh0+JDQ79pH5q1FsRMcsJ+J8GO0edw
kh8zdZoCbbtJgQjTx0JheJMDdZymw4cfK5hoZbnxX6HZ1wNhtPb7Z/noNcxpK6Zl
CCzPgLd9hCGLBD2XqoRjOM1U2vpZwpCTdYgAtFIPMVXQQpzgIyw06CHcHvYZgnAc
oxiVx7Z7N9r0J1vDnlrW/OU1l07D0pBr1yPRTDMI5tBMo8KDsL2tkBxqtYyOJdZr
as/5zQDPRlbW7Jve1JuXmsnja+gN7jZ+3LpUzfRFo/wWnvOzhHQxLz+RaUpVDYTl
F4m9zjo9dgOhlZzigOhYTB+5aq5f92Yf6K0daCwTDpU=
-----END RSA PRIVATE KEY-----
EOS;

$pkey = openssl_pkey_get_private($key, 'password');
if ($pkey === false) {
        die(openssl_error_string());
}

openssl_pkey_export($pkey, $out_key_file);
echo "Wrote to $out_key_file\n";

And that works fine for me.

Update

I've tried to perform this using openssl command line as well, using your key:

openssl rsa -in des3big.rsa -out des3bignopass.rsa
unable to load Private Key
14179:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:746:

It seems that OpenSSL has an issue with it as well, so it's not PHP.

Update 2

Turns out that your lines are too long (they should be 64 characters wide):

Changing ssh passphrase with ssh-keygen makes a change of the ssh key?

Indeed, the passphrase is just a local protection for a private key file. From server-perspective, the key stays the same.

There's no danger for you in trying. Just backup your encrypted key before conversion.

Though the right solution is to use an authentication agent (like OpenSSH ssh-agent). With the agent, you type the passphrase only once, when loading the key into the agent.

If you want/need an unencrypted key for some automation, the right solution is to have two keys. One encrypted for interactive use and one unencrypted for unattended use. So that in case your unencrypted key is compromised, you can cancel it without a need to replace your encrypted one.

Regenerate private key from password

Depends on the algorithms, however, for the vast majority of them, the answer is no: Generally, a key pair is made by using random a lot of random information, and then your password is used to encrypt the private key. (yes, it's encryption in encryption).

For example, an RSA key pair or a diffie-hellman keypair both involve random input to generate these.

Either remove or automatically enter pem passphrase for haproxy ssl; Chrome still warns about CA not signed

You will need to copy the password protected key to a not password protected key.

openssl rsa -in test.pem -out test-password-less.key

To provide the PEM now to HAProxy will you also need the certificate.
cat both Files to one PEM File for haproxy.

cat $CERT test-password-less.key > haproxy-test.pem