Remove SSL certificate passphrase
A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key's passphrase.
| Note |
|---|
Security warning Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it. |
Now that you have been warned about the risks, we can continue onto the options
- httpd has a directive you can use, SSLPassPhraseDialog.
- You can use OpenSSL to remove the passphrase from the certificate completely.
An example usage of SSLPassPhraseDialog :
| No Format |
|---|
SSLPassPhraseDialog exec:/path/to/script |
_ N.B. 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks._
Inside an example perl script:
| No Format |
|---|
#!/usr/bin/perl # # Hideously insecure temporary hack so a reboot # can happen without requiring the passphrase to be input # at the console. print "Enter your SSL Passphrase here\n"; |
How to strip a key with OpenSSL
With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type
| No Format |
|---|
/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key |
with the file names and paths appropriate for your environment.