mobile logo

Removing a passphrase from an SSL Key

posted on October 12, 2007 / IN Apache / Quick Tip / 28 Comments

The typical process for creating an SSL certificate is as follows:

 # openssl genrsa -des3 -out www.key 2048

Note: When creating the key, you can avoid entering the initial passphrase altogether using:

# openssl genrsa -out www.key 2048

At this point it is asking for a PASS PHRASE (which I will describe how to remove):

 Enter pass phrase for www.key:
 # openssl req -new -key www.key -out www.csr

Next, you will typically send the www.csr file to your registrar. In turn, your registrar will provide you with the .crt (certificate) file.

From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful.

For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online.

I suggest removal of the passphrase, you can follow the process below:

Always backup the original key first (just in case)!

 # cp www.key www.key.orig

Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:

 # openssl rsa -in www.key -out new.key

Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.

Stop worrying about your server issues

Click here for additional detail or request a proposal so you can start focusing on growing your business, rather than supporting your servers.

By admin

Tagged With


Please use the form to leave a comment

    • mwarden
      Posted on December 9, 20093:54 pm Reply

      Thank you for sharing this. This is exactly what I needed, and you are dead-on correct about passphrases in ssl keys not being very practical.

    • wika
      Posted on March 23, 20108:32 pm Reply

      thanks man, exactly what i needed

    • Alexis
      Posted on April 24, 20105:33 pm Reply

      Thanks! this is essential for all services to start in a remote server!

    • Tommy
      Posted on December 30, 20109:56 am Reply

      I can remove passphrase and not need renew the SSL cert now.

      Thank very much.

    • Santiago
      Posted on January 5, 201112:43 pm Reply

      Thanks a lot, it worked perfect :)

    • Slavi
      Posted on February 6, 201110:27 am Reply

      Thanks! I was able to remove the passphrase successfully.
      I was prompted for a pwd for every httpd restart.

    • charredTowne
      Posted on March 9, 20113:09 pm Reply

      Thanks! I accidentally (out of habit from working with a single site over the past few years) added the requirement for a passphrase to a client’s web server. They weren’t too happy. Using your advice I was able to remove the passphrase and now everyone is back on track! Thanks a ton!

    • jeff
      Posted on April 4, 20118:55 pm Reply

      thank you so much, this is exactly what I am looking for

    • Vereb
      Posted on May 1, 20116:52 pm Reply

      Thank you for your help our Apache server is running again.

    • Jay S
      Posted on May 25, 20112:28 pm Reply

      Wow, you are a life saver!

    • selva
      Posted on August 5, 20113:49 am Reply


      unable to start httpd service bcz i dont know the passpharse..pls say how to change or remove.

    • Mahbub
      Posted on December 13, 20112:20 am Reply

      Thanks a lot. It just saved me from some annoyances.

    • Todd
      Posted on May 14, 201210:22 am Reply

      Thank you for posting this how-to! It was very helpful. Have a great day!

    • Asgher Ali
      Posted on May 28, 20127:16 am Reply

      thank you for sharing this information. because each time on system reboot i had to start server manually and provide ssl pass phrase but now it is working well without pass phrase. thank you once again

    • Justin
      Posted on June 28, 201210:20 am Reply

      This was perfect for me as well. I have several sites hosted on the same box and it makes no sense to have to type in a passphrase for any single site when restarting apache. Thanks for the solution!

    • Boris
      Posted on November 6, 20129:31 am Reply

      Thank you as well. I have to able to restart the webserver via webinterface – and there i can’t provide a password. So this was exactly what i needed!

    • Chidra
      Posted on November 19, 20124:27 am Reply

      Merci its works

    • filmy
      Posted on December 10, 20125:18 am Reply

      thanks a lot for help!

    • Brian
      Posted on March 20, 20132:14 pm Reply

      Phew! Thanks for the help!

    • Matt
      Posted on April 4, 201311:44 am Reply

      Many, many thanks! This saved my ass on a server upgrade.

    • nerdtron
      Posted on June 17, 20135:50 am Reply

      Thank you! I have spent days figuring out how to correctly install a proper certificate on our email server.

      Thanks again!

Page 1 of 1

Leave a comment.