Remove SSL Certificate Passphrase
A lot of people ask how they can remove the passphrase requirements from an SSL key so that Apache can be (re)started without the need to re-enter the key's passphrase.
There are two main options, but before we get to those you need to be aware of the risks associated with doing this. Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you *must* remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who *need* it.
Now that you have been warned about the risks, we can continue onto the options
Apache has a directive you can use, called 'SSL!PassPhraseDialog' . Click here for the documentation on this directive.
- You can use OpenSSL to remove the passphrase from the certificate completely.
An example usage of SSLPassPhraseDialog :
SSLPassPhraseDialog exec:/path/to/script
N.B. 'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks.
Inside an example perl script:
# # Hideously insecure temporary hack so a reboot # can happen without requiring the passphrase to be input # at the console. print "Enter your SSL Passphrase here\n";
How to decrypt a key with OpenSSL
With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type
/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key
with the file names and paths appropriate for your environment.