12 Oct 2007

Removing a passphrase from an SSL Key 

By - Apache, Quick Tip 15 Comments

The typical process for creating an SSL certificate is as follows:

 # openssl genrsa -des3 -out www.key 2048

Note: When creating the key, you can avoid entering the initial passphrase altogether using:

# openssl genrsa -out www.key 2048

At this point it is asking for a PASS PHRASE (which I will describe how to remove):

 Enter pass phrase for www.key:
 # openssl req -new -key www.key -out www.csr

Next, you will typically send the www.csr file to your registrar. In turn, your registrar will provide you with the .crt (certificate) file.

From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful.

For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online.

I suggest removal of the passphrase, you can follow the process below:

Always backup the original key first (just in case)!

 # cp www.key www.key.orig

Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:

 # openssl rsa -in www.key -out new.key

Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.

Stop worrying about your server issues

Click here for additional detail or request a proposal so you can start focusing on growing your business, rather than supporting your servers.

15 Responses to “Removing a passphrase from an SSL Key”

  2. mwarden says:
    December 9, 2009 at 3:54 pm

    Thank you for sharing this. This is exactly what I needed, and you are dead-on correct about passphrases in ssl keys not being very practical.

  3. wika says:
    March 23, 2010 at 8:32 pm

    thanks man, exactly what i needed

  4. Alexis says:
    April 24, 2010 at 5:33 pm

    Thanks! this is essential for all services to start in a remote server!

  5. Shivakumar Nagarajan says:
    December 23, 2010 at 10:41 am

    Thank You!!! Gentlemen, it works!

  6. Tommy says:
    December 30, 2010 at 9:56 am

    I can remove passphrase and not need renew the SSL cert now.

    Thank very much.

  7. Commercial cert : where to store passphrase ? stmp related - Zimbra :: Forums says:
    January 3, 2011 at 11:33 am

    [...] Removing a passphrase from an SSL Key Remove the passphrase, and put the new key in your zimbra directory. [...]

  8. Santiago says:
    January 5, 2011 at 12:43 pm

    Thanks a lot, it worked perfect :)

  9. Slavi says:
    February 6, 2011 at 10:27 am

    Thanks! I was able to remove the passphrase successfully.
    I was prompted for a pwd for every httpd restart.

  10. charredTowne says:
    March 9, 2011 at 3:09 pm

    Thanks! I accidentally (out of habit from working with a single site over the past few years) added the requirement for a passphrase to a client’s web server. They weren’t too happy. Using your advice I was able to remove the passphrase and now everyone is back on track! Thanks a ton!

  11. jeff says:
    April 4, 2011 at 8:55 pm

    thank you so much, this is exactly what I am looking for

  12. Vereb says:
    May 1, 2011 at 6:52 pm

    Thank you for your help our Apache server is running again.

  13. Jay S says:
    May 25, 2011 at 2:28 pm

    Wow, you are a life saver!

  14. selva says:
    August 5, 2011 at 3:49 am

    hi,

    unable to start httpd service bcz i dont know the passpharse..pls say how to change or remove.

  15. Mahbub says:
    December 13, 2011 at 2:20 am

    Thanks a lot. It just saved me from some annoyances.

Leave a Reply