Removing a passphrase from an SSL Key

12 Oct 2007

The typical process for creating an SSL certificate is as follows:

 # openssl genrsa -des3 -out www.key 2048

Note: When creating the key, you can avoid entering the initial passphrase altogether using:

# openssl genrsa -out www.key 2048

At this point it is asking for a PASS PHRASE (which I will describe how to remove):

 Enter pass phrase for www.key:

 # openssl req -new -key www.key -out www.csr

Next, you will typically send the www.csr file to your registrar. In turn, your registrar will provide you with the .crt (certificate) file.

From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful.

For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online.

I suggest removal of the passphrase, you can follow the process below:

Always backup the original key first (just in case)!

 # cp www.key www.key.orig

Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:

 # openssl rsa -in www.key -out new.key

Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.

2 Responses to “Removing a passphrase from an SSL Key”

Brian Nettles » Blog Archive » Enter pass phrase:Apache:mod_ssl:Error: Private key not found. says:
August 27, 2008 at 10:25 am

[...] http://www.mnxsolutions.com/blog/apache/removing-a-passphrase-from-an-ssl-key.html [...]
mwarden says:
December 9, 2009 at 3:54 pm

Thank you for sharing this. This is exactly what I needed, and you are dead-on correct about passphrases in ssl keys not being very practical.

Contact Form get in touch with us

Search Site

RSS
Twitter