Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by ChrisPepper: http://wiki.apache.org/httpd/Info/RemoveSSLCertPassPhrase The comment on the change is: Fix case & punctuation; tweak phrasing. ------------------------------------------------------------------------------ - = Remove SSL Certificate PassPhrase = + = Remove SSL Certificate Passphrase = - A lot of people ask how they can remove the !PassPhrase requirements from an SSL certificate so that Apache can be (re)started without the need to re-enter the !PassPhrase. + A lot of people ask how they can remove the passphrase requirements from an SSL key so that Apache can be (re)started without the need to re-enter the key's passphrase. - Now there are two main options, but before we get to those you need to be aware of the risks associated with doing this. + There are two main options, but before we get to those you need to be aware of the risks associated with doing this. - Once you remove the requirement for the !PassPhrase the certificate can be easily copied and used elsewhere, thus opening you to the risk of it being abused. If you *must* remove the !PassPhrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who *need* access. + Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you *must* remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who *need* it. - Now that you have been warned about the risks, we can continue onto the options that you have. + Now that you have been warned about the risks, we can continue onto the options - 1. Apache has a directive you can use, it is called '' 'SSL!PassPhraseDialog' ''. Click [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog here] for the Apache documentation on the directive. + 1. Apache has a directive you can use, called '' 'SSL!PassPhraseDialog' ''. Click [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog here] for the documentation on this directive. - 1. You can use OpenSSL to remove the !PassPhrase from the certificate completely + 1. You can use OpenSSL to remove the passphrase from the certificate completely. == An example usage of SSLPassPhraseDialog : == @@ -19, +19 @@ SSLPassPhraseDialog exec:/path/to/script }}} - '' '''N.B.''' That 'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks '' + '' '''N.B.''' 'SSL!PassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks. '' [[BR]] Inside an example perl script: @@ -28, +28 @@ #!/usr/bin/perl # # Hideously insecure temporary hack so a reboot - # can happen without requiring the pass phrase to be input + # can happen without requiring the passphrase to be input # at the console. - print "Put your SSL PassPhse here\n"; + print "Enter your SSL Passphrase here\n"; }}} - == How to use OpenSSL == + == How to decrypt a key with OpenSSL == - With OpenSSL you can actually remove the !PassPhrase from the certificate completely. This will then prevent Apache from asking you to enter the !PassPhrase everytime it is started. To do this go to the command line and type + With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type {{{ /path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key }}} - Making sure your replace the file names, and paths above with the correct ones for your environment. + with the file names and paths appropriate for your environment.
