Is it possible to recover a lost passphrase for a private key file?

The whole point of having a passphrase is to lock out anyone who does not know it. Allowing it to be recovered would defy the principle and allow hackers who get access to your certificate to recover your keys.

So no, there is no such thing.

What you should do is declare the keys as lost to the issuer so that they revoke your certificate. Then, you have to create a new one from scratch.


From your description, it sounds like the server is currently using the key, which means the server "knows" the pass phrase. If this is correct and you have appropriate access to the server, you should be able to extract it. How you'd do that depends on what the server software is and how it's set up.

Just as an example, if you were running Apache, and it had something like this in the httpd.conf file:

SSLPassPhraseDialog exec:/etc/apache2/getsslpassphrase

That means that Apache will run /etc/apache2/getsslpassphrase to get passphrases; and you can do the same:

sudo /etc/apache2/getsslpassphrase server.example.com:443 RSA

should output the passphrase for the server.example.com key.

For other server software (or Apache with different config options), you'd have to specify the details.


Under some circumstances it may be possible to recover the private key with a new password. It would require the issuing CA to have created the certificate with support for private key recovery.

This is normally not done, except where the key is used to encrypt information, e.g. when used for email or file encryption. The issuing CA should be able to tell you whether key recovery is possible, and help you re-create the key with a new password if it is.