You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wiki-changes@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2006/11/24 18:16:54 UTC

[Httpd Wiki] Update of "Info/RemoveSSLCertPassPhrase" by pctony

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by pctony:
http://wiki.apache.org/httpd/Info/RemoveSSLCertPassPhrase

The comment on the change is:
New page

New page:
= Remove SSL Certificate PassPhrase =

A lot of people ask how they can remove the !PassPhrase requirements from an SSL certificate so that Apache can be (re)started without the need to re-enter the !PassPhrase.

Now there are two main options, but before we get to those you need to be aware of the risks associated with doing this.
Once you remove the requirement for the !PassPhrase the certificate can be easily copied and used elsewhere, thus opening you to the risk of it being abused.  If you *must* remove the !PassPhrase then you must take adequate protection in the storage of the file.  Ensure that the permissions are set to only allow access to those who *need* access.

Now that you have been warned about the risks, we can continue onto the options that you have. 

 1. Apache has a directive you can use, it is called '' 'SSL!PassPhraseDialog' ''.   Click [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog here] for the Apache documentation on the directive.
 1. You can use OpenSSL to remove the !PassPhrase from the certificate completely


== An example usage of SSLPassPhraseDialog : ==

{{{
SSLPassPhraseDialog exec:/path/to/script
}}}

'' '''N.B.'''  That 'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks ''

[[BR]]
Inside an example perl script:

{{{
#!/usr/bin/perl
#
# Hideously insecure temporary hack so a reboot 
# can happen without requiring the pass phrase to be input
# at the console.

print "Put your SSL PassPhse here\n";
}}}


== How to use OpenSSL ==

With OpenSSL you can actually remove the !PassPhrase from the certificate completely.  This will then prevent Apache from asking you to enter the !PassPhrase everytime it is started. To do this go to the command line and type

{{{
/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key
}}}

Making sure your replace the file names, and paths above with the correct ones for your environment.