How to change your pass phrase

The private key part pertaining to your certificate is (and should) be protected with a strong encryption algorithm. This algorithm, usually 3DES, needs a secret pass phrase. From time to time, you may want to change this pass phrase for security reasons. This document describes how you do it. Have your X.509 key file ready and run the following command:

openssl rsa -in userkey.pem -des3 -out newkey.pem

This command can be run from your ~/.globus directory, possibly after mounting the appropriate media. You will have to give your `old' passphrase first, followed by (twice) your new pass phrase. When you're done, rename the file newkey.pem.
Remember to set the appropriate access mask for your new file (on *NIX systems it should be 0400).
If you are working in a secure environment and have your private key stored on removable media, we advise you to sanitize the media that contained your old private key. Only in this way can you be sure that your `old' passphrase cannot be used to compromise your private key. See, for example, the DoD 5220.22-M standard on how to best sanitize your media.
David Groep <>