diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
index 1390cc2f74..6745cff1af 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@@ -198,6 +198,12 @@ enum tport_tls_verify_policy {
   TPTLS_VERIFY_SUBJECTS_ALL = 0xF,
 };
 
+TPORT_DLL extern tag_typedef_t tptag_tls_passphrase;
+#define TPTAG_TLS_PASSPHRASE(x)  tptag_tls_passphrase, tag_str_v(x)
+
+TPORT_DLL extern tag_typedef_t tptag_tls_passphrase_ref;
+#define TPTAG_TLS_PASSPHRASE_REF(x)  tptag_tls_passphrase_ref, tag_str_vr(&(x))
+
 TPORT_DLL extern tag_typedef_t tptag_tls_verify_policy;
 #define TPTAG_TLS_VERIFY_POLICY(x) tptag_tls_verify_policy, tag_uint_v((x))
 
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
index 5b7f5fd53e..c10958a41f 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
@@ -288,6 +288,16 @@ tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
  */
 tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
 
+/**@def TPTAG_TLS_PASSPHRASE(x)
+ *
+ * Sets the passphrase password to be used by openSSL to encrypt/decrypt
+ * private key files.
+ *
+ * @NEW_1_12_11.
+ */
+tag_typedef_t tptag_tls_passphrase = STRTAG_TYPEDEF(tls_passphrase);
+
+
 /**@def TPTAG_TLS_VERIFY_POLICY(x)
  *
  * The verification of certificates can be controlled:
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index 041ed67611..2fffbde110 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -160,6 +160,27 @@ void tls_log_errors(unsigned level, char const *s, unsigned long e)
   }
 }
 
+/*
+ * This callback hands back the password to be used during decryption.
+ *
+ * buf      : the function will write the password into this buffer
+ * size     : the size of "buf"
+ * rwflag   : indicates whether the callback is being used for reading/
+ *            decryption (0) or writing/encryption (1)
+ * userdata : pointer tls_issues_t where the passphrase is stored
+ */
+static int passwd_cb(char *buf, int size, int rwflag, void *userdata)
+{
+	if (rwflag == 0) { // reading/decryption
+		tls_issues_t *tlsi = (tls_issues_t *)userdata;
+
+		strncpy(buf, tlsi->passphrase, size);
+		buf[size - 1] = '\0';
+
+		return strlen(tlsi->passphrase);
+	}
+	return 0;
+}
 
 static
 tls_t *tls_create(int type)
@@ -290,6 +311,12 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
     return -1;
   }
 
+  /* Set callback if we have a passphrase */
+  if (ti->passphrase != NULL) {
+    SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
+    SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
+  }
+
   if (!SSL_CTX_use_certificate_file(tls->ctx,
 				    ti->cert,
 				    SSL_FILETYPE_PEM)) {
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
index 416143153b..dbf6517196 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@@ -56,6 +56,7 @@ typedef struct tls_issues_s {
   int   configured;	/* If non-zero, complain about certificate errors */
   char *cert;		/* CERT file name. File format is PEM         */
   char *key;		/* Private key file. PEM format               */
+  char *passphrase;     /* Passphrase for password protected private key */
   char *randFile;       /* Seed file for the PRNG (default: tls_seed.dat) */
   char *CAfile;		/* PEM file of CA's                           */
   char *CApath;		/* PEM file path of CA's		      */
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
index 7afd34c66d..24f5d1b0fb 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@@ -182,6 +182,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char const *path = NULL;
   unsigned tls_version = 1;
   unsigned tls_verify = 0;
+  char const *passphrase = NULL;
   unsigned tls_policy = TPTLS_VERIFY_NONE;
   unsigned tls_depth = 0;
   unsigned tls_date = 1;
@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
 	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
+	  TPTAG_TLS_PASSPHRASE_REF(passphrase),
 	  TPTAG_TLS_VERIFY_POLICY_REF(tls_policy),
 	  TPTAG_TLS_VERIFY_DEPTH_REF(tls_depth),
 	  TPTAG_TLS_VERIFY_DATE_REF(tls_date),
@@ -218,6 +220,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.configured = path != tbf;
     ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
     ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
+    ti.passphrase = su_strdup(autohome, passphrase);
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;