Removing a passphrase from an SSL Key
Friday, October 12th, 2007
The typical process for creating an SSL certificate is as follows:
# openssl genrsa -des3 -out www.key 1024
At this point it is asking for a PASS PHRASE (which I will describe how to remove):
Enter pass phrase for www.key:
# openssl req -new -key www.key -out www.csr
Next, you will typically send the www.csr file to your registrar. In turn, you should receive a key.
From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful.
For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online.
I suggest removal of the passphrase, you can follow the process below:
Always backup the original key before first to make sure no mistakes occur:
# cp www.key www.key.orig
Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:
# openssl rsa -in www.key -out new.key
Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.