Hi, > I'm new to OPENXPKI and I'm wondering how I could create a Certificate for > apache2. > I have OPENXPKI up and running, I can already create Certificates with the > predefined TLS/Web Server Certificate Profile. > But I want to modify this profile, that I can create a certificate with key > without passphrase. I don't want to enter the passphrase everytime I restart > apache.
The quick answer is: for security reasons OpenXPKI enforces setting a passphrase if the private key is generated on the PKI side. This is by design and a good practice. It is also not easily possible to disable passphrased on keys generated on the PKI. What you can do, however, is change or remove the passphrase protection from the downloaded key. Download the key in PEM format and run openssl rsa -in INFILE -out OUTFILE INFILE is the encrypted private key you downloaded from the PKI. OUTFILE is the unencrypted RSA key which can be directly used by Apache. However, a much better approach is to generate the private key on the server where the certificate is used and create a PKCS#10 request (CSR) from the private key. This file can be uploaded to OpenXPKI as a certificate request, Oxi can issue a certificate and you import the generated certificate on your system. If you do this, the private key never leaves your system, which is much preferred to sending around private keys. CSRs and certificates only contain public information, hence no worried with leaking this. HTH Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
