stop apache from asking for SSL password each restart
Solution 1
You want to remove the passphrase from a key file. Run this:
openssl rsa -in key.pem -out newkey.pem
Be aware that this means that anyone with physical access to the server can copy (and thereby abuse) the key.
Solution 2
I've been guilty of removing the passphrase from my own key files in the past, because it's the simplest solution, but security-wise, it's not the best idea. An alternative is to feed the passphrase to Apache. You can do this with the SSLPassPhraseDialog
option in your httpd.conf
(or another file that it includes).
If you only have one SSL site on your server, the simplest form of this would be:
# either of these will work
SSLPassPhraseDialog |/path/to/passphrase-script
SSLPassPhraseDialog exec:/path/to/passphrase-script
You would then create a very simple script called /path/to/passphrase-script
that contains something like the following:
#!/bin/sh
echo "put the passphrase here"
When starting up, Apache will take the output of this script and use it as the passphrase for your SSL key. If you have multiple SSL sites, SSLPassPhraseDialog
has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.
Solution 3
To remove the password from a PEM file, you can do the following. Note that both commands are required for the situation where the private key and the public certificate are in the same file:
# you'll be prompted for your passphrase one last time
openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >> newcert.pem
This will create a file called "newcert.pem" that is a PEM file without a password. As noted in other answers, you should consider whether or not this is a good idea from a security standpoint before doing so.
Snagged from here
Related videos on Youtube
rzr
Updated on September 17, 2022Comments
-
rzr over 1 year
Using instructions from this site but varying them just a little i created a CA using -newca, i copied
cacert.pem
to my comp and imported as trusted issuer in IE. I then did -newreq and -sign (note: i do/full/path/CA.sh -cmd
and notsh CA.sh -cmd
) and moved the cert and key to apache.I visited the site in IE and using .NET code and it appears trusted, great (unless i write www. in front which is expected). But every time i restart apache i need to type in my password for the site(s?).
How can i make it so i DO NOT need to type in the password?
-
Admin almost 14 yearsWarner i <3 how you answer all my questions and give me great answers :D. The Best
-
William_De almost 14 yearsThat doesn't really do anything for your security -- anyone who breaks in just has to read the Apache config, then read that script, and they're as good as if you had left off the passphrase in the first place.
-
Admin almost 14 yearsi dont know why you wouldnt remove the passphrase if you were going to have it written down anyways. I am not worried about anyone breaking in as all the permissions are set correctly. Or at least mostly. Right now the only ones who can access my files is my host provider (which i cant do anything about bc they have the hardware and can break in as root or access physical drive) and me as root.
-
Slartibartfast almost 14 yearsAny suggestion that causes a significant reduction in security should come with a warning / caveat. In short, this answer means that whoever has physical access to the machine can compromise your certificate.
-
Warner almost 14 yearsYou certainly have a point slartibartfast and I don't disagree on merit. However, I can't think of any well-run IT department where it is acceptable to leave passphrases on private keys with keypairs used by Apache.
-
user2402902 over 8 yearsand
chmod +x /path/to/passphrase-script
-
vee over 8 yearskey.pem is not found. I use this method and it's working. chrisschuld.com/2008/08/…
-
Cristian Măgherușan-Stanciu over 8 yearsI find this useful on large environments for configuration management purposes. You don't want every machine you launch automatically to ask for a passphrase on startup, especially when running 'in the cloud'.Using a script you can have the encrypted files stored and distributed over unsafe channels (Amazon S3, yum repos, etc.) while the passphrase is sent over an encrypted channel, like when using Puppet or Chef.
-
pcnate over 6 yearsthis no longer works. openssl requires the paraphrase unless there is an option to disable it
-
Sachin G. over 4 yearsThis knowledge.digicert.com/solution/SO307.html worked for me
-
Mirko Friedenhagen almost 3 yearsVery late to the game but: using the shell script you may easily share or publish your configuration which has a value in itself.