You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2012/10/13 19:37:25 UTC

[Httpd Wiki] Update of "RemoveSSLCertPassPhrase" by TimBannister

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "RemoveSSLCertPassPhrase" page has been changed by TimBannister:
http://wiki.apache.org/httpd/RemoveSSLCertPassPhrase?action=diff&rev1=4&rev2=5

Comment:
Changed security warning into a Moin admonition

  ## page was renamed from Info/RemoveSSLCertPassPhrase
- = Remove SSL Certificate Passphrase =
+ = Remove SSL certificate passphrase =
  
- A lot of people ask how they can remove the passphrase requirements from an SSL key so that Apache can be (re)started without the need to re-enter the key's passphrase.
+ A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key's passphrase.
  
- There are two main options, but before we get to those you need to be aware of the risks associated with doing this.
+ {{{#!wiki caution
+ '''Security warning'''
+ 
- Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused.  If you *must* remove the passphrase then you must take adequate protection in the storage of the file.  Ensure that the permissions are set to only allow access to those who *need* it.
+ Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused.  If you must remove the passphrase then you must take adequate protection in the storage of the file.  Ensure that the permissions are set to only allow access to those who need it.
+ }}}
  
  Now that you have been warned about the risks, we can continue onto the options 
  
-  1. Apache has a directive you can use, called '' 'SSL!PassPhraseDialog' ''.   Click [[http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog|here]] for the documentation on this directive.
+  1. httpd has a directive you can use, [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog|SSLPassPhraseDialog]].
   1. You can use OpenSSL to remove the passphrase from the certificate completely.
  
  
@@ -20, +23 @@

  SSLPassPhraseDialog exec:/path/to/script
  }}}
  
- '' '''N.B.'''  'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks. ''
+ '' '''N.B.'''  'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks. ''
  
  <<BR>>
  Inside an example perl script:
@@ -36, +39 @@

  }}}
  
  
- == How to decrypt a key with OpenSSL ==
+ == How to strip a key with OpenSSL ==
  
  With OpenSSL you can actually remove the passphrase from the SSL key completely.  This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org