Differences between revisions 4 and 5
Revision 4 as of 2009-09-20 22:13:26
Size: 2032
Editor: localhost
Comment: converted to 1.6 markup
Revision 5 as of 2012-10-13 17:37:23
Size: 1889
Editor: TimBannister
Comment: Changed security warning into a Moin admonition
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Remove SSL Certificate Passphrase = = Remove SSL certificate passphrase =
Line 4: Line 4:
A lot of people ask how they can remove the passphrase requirements from an SSL key so that Apache can be (re)started without the need to re-enter the key's passphrase. A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key's passphrase.
Line 6: Line 6:
There are two main options, but before we get to those you need to be aware of the risks associated with doing this.
Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you *must* remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who *need* it.
{{{#!wiki caution
'''Security warning'''

Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it.
}}}
Line 11: Line 14:
 1. Apache has a directive you can use, called '' 'SSL!PassPhraseDialog' ''. Click [[http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog|here]] for the documentation on this directive.  1. httpd has a directive you can use, [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog|SSLPassPhraseDialog]].
Line 21: Line 24:
'' '''N.B.''' 'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks. '' '' '''N.B.''' 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks. ''
Line 37: Line 40:
== How to decrypt a key with OpenSSL == == How to strip a key with OpenSSL ==

Remove SSL certificate passphrase

A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key's passphrase.

Security warning

Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it.

Now that you have been warned about the risks, we can continue onto the options

  1. httpd has a directive you can use, SSLPassPhraseDialog.

  2. You can use OpenSSL to remove the passphrase from the certificate completely.

An example usage of SSLPassPhraseDialog :

SSLPassPhraseDialog exec:/path/to/script

N.B. 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks.


Inside an example perl script:

#
# Hideously insecure temporary hack so a reboot 
# can happen without requiring the passphrase to be input
# at the console.

print "Enter your SSL Passphrase here\n";

How to strip a key with OpenSSL

With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type

/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key

with the file names and paths appropriate for your environment.

RemoveSSLCertPassPhrase (last edited 2012-10-13 17:37:23 by TimBannister)