Hi Martin
Thanks for clarification!
I went the better approach to generate a csr on the server.
Regards
Stefan
Am 16.01.19 um 14:23 schrieb Martin Bartosch:
Hi,
I'm new to OPENXPKI and I'm wondering how I could create a Certificate for
apache2.
I have OPENXPKI up and running, I can already create Certificates with the
predefined TLS/Web Server Certificate Profile.
But I want to modify this profile, that I can create a certificate with key
without passphrase. I don't want to enter the passphrase everytime I restart
apache.
The quick answer is: for security reasons OpenXPKI enforces setting a
passphrase if the private key is generated on the PKI side. This is by design
and a good practice. It is also not easily possible to disable passphrased on
keys generated on the PKI.
What you can do, however, is change or remove the passphrase protection from
the downloaded key.
Download the key in PEM format and run
openssl rsa -in INFILE -out OUTFILE
INFILE is the encrypted private key you downloaded from the PKI. OUTFILE is the
unencrypted RSA key which can be directly used by Apache.
However, a much better approach is to generate the private key on the server
where the certificate is used and create a PKCS#10 request (CSR) from the
private key. This file can be uploaded to OpenXPKI as a certificate request,
Oxi can issue a certificate and you import the generated certificate on your
system.
If you do this, the private key never leaves your system, which is much
preferred to sending around private keys.
CSRs and certificates only contain public information, hence no worried with
leaking this.
HTH
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
