Using instructions from this site but varying them just a little i created a CA using -newca, i copied cacert.pem
to my comp and imported as trusted issuer in IE. I then did -newreq and -sign (note: i do /full/path/CA.sh -cmd
and not sh CA.sh -cmd
) and moved the cert and key to apache.
I visited the site in IE and using .NET code and it appears trusted, great (unless i write www. in front which is expected). But every time i restart apache i need to type in my password for the site(s?).
How can i make it so i DO NOT need to type in the password?
You want to remove the passphrase from a key file. Run this:
Be aware that this means that anyone with physical access to the server can copy (and thereby abuse) the key.
I've been guilty of removing the passphrase from my own key files in the past, because it's the simplest solution, but security-wise, it's not the best idea. An alternative is to feed the passphrase to Apache. You can do this with the
SSLPassPhraseDialog
option in yourhttpd.conf
(or another file that it includes).If you only have one SSL site on your server, the simplest form of this would be:
You would then create a very simple script called
/path/to/passphrase-script
that contains something like the following:When starting up, Apache will take the output of this script and use it as the passphrase for your SSL key. If you have multiple SSL sites,
SSLPassPhraseDialog
has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.To remove the password from a PEM file, you can do the following. Note that both commands are required for the situation where the private key and the public certificate are in the same file:
This will create a file called "newcert.pem" that is a PEM file without a password. As noted in other answers, you should consider whether or not this is a good idea from a security standpoint before doing so.
Snagged from here