Protection of private key for signing Chrome WebExtension

Question

I am the developer of a WebExtension for Chrome. The WebExtension is not listed in the Chrome Web Store because it is only used for internal purposes.

When packaging the first version of the WebExtension I got a pem file which contains a private key. Currently, I am using chrome.exe to create/sign new releases of my WebExtension using my private key.

I have noticed that the file is not protected by a passphrase and contains the private key in plaintext. I think it is handled that way to simplify the packaging process for developers. However, I am concerned about the security of my private key. Therefore, I want to protect my private key with a passphrase.

I guess that chrome.exe will expect a pem file containing a plaintext private key so I have searched for alternatives to sign my WebExtension and found the following:

• A bash script http://www.adambarth.com/experimental/crx/docs/crx.html
• A python script https://grack.com/blog/2009/11/09/packing-chrome-extensions-in-python/

Both of them using openssl. Hence, handling of an encrypted private key can be added but I am not very experienced using openssl.

Do common/best practice openssl commands exists for encrypting and decrypting a pem file?

Any help will be appreciated, thanks!

Answer 1

Encrypt a key with a passphrase:

$ openssl rsa -in a.pem -aes256 -out a.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Decrypting a key with a passphrase:

$ openssl rsa -in a.key | openssl pkcs8 -topk8 -nocrypt -out a.pem
Enter pass phrase for a.key:
writing RSA key

The shell commands openssl sha1 -sign -key a.key and openssl rsa -in a.key will prompt for the pass phrase as necessary, so you would only need to explicitly decrypt the key if you wanted to use it in Chrome's UI, which just can't handle an encrypted PEM.