Friday, October 9, 2009

Removing a passphrase from an SSL Key

SkyHi @ Friday, October 09, 2009
Removing a passphrase from an SSL Key
Friday, October 12th, 2007

The typical process for creating an SSL certificate is as follows:

# openssl genrsa -des3 -out www.key 1024

At this point it is asking for a PASS PHRASE (which I will describe how to remove):

Enter pass phrase for www.key:

# openssl req -new -key www.key -out www.csr

Next, you will typically send the www.csr file to your registrar. In turn, you should receive a key.

From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful.

For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online.

I suggest removal of the passphrase, you can follow the process below:

Always backup the original key before first to make sure no mistakes occur:

# cp www.key www.key.orig

Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:

# openssl rsa -in www.key -out new.key

Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.

Reference: http://www.mnxsolutions.com/blog/apache/removing-a-passphrase-from-an-ssl-key.html