Home / server / Questions / 366372
Accepted
diya
Asked: 2012-03-05 22:28:25 +0800 CST

Is it possible to generate RSA key without pass phrase?

  • 772

I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes. 

sudo openssl rsa -des3 -in server.key -out server.key.new

When i enter the above command, it says

writing RSA key
Enter PEM pass phrase:

If i do not enter the pass phrse, im getting the below error

unable to write key
3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo
u must type in 4 to 1024 characters
3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor
d:pem_lib.c:111:
3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382

Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).

apache-2.2 https openssl passphrase

9 Answers

  1. Best Answer

    If you are generating a self signed cert, you can do both the key and cert in one command like so:

    openssl req  -nodes -new -x509  -keyout server.key -out server.cert

    Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

    • 158

  2. Leave off the -des3 flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn't a new key at all - it's exactly the same as server.key, only with the passphrase changed/stripped off).

    • 56

  3. The openssl req command from the answer by @Tom H is correct to create a self-signed certificate in server.cert incl. a password-less RSA private key in server.key:

    openssl req -nodes -new -x509 -keyout server.key -out server.cert

    Here is how it works. Omitting -des3 as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa ("convert a private key") command referred to by @MadHatter and the openssl genrsa ("create a private key") command. Just not for for the openssl req command here. We additionally need -nodes ("No DES encryption of server.key please!").

    • 40

  4. Use the -nodes parameter, if this option is specified then the private key will not be encrypted, e.g.:

    openssl \
    req \
    -nodes \
    -newkey rsa:2048 \
    -keyout www.example.com.key \
    -out www.example.com.csr \
    -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/[email protected]"
    • 35

  5. Just run it again through openssl

    first generate the key with the passphrase

    then openssl rsa -in server.key -out server.key

    • 11

  6. Adding '-nodes' to the 'openssl req' allows a unencrypted (no pass phrase) private key to be generated from the 'openssl req' command

    • 11

  7. Use the next command to generate password-less private key file with NO encryption. The last parameter is the size of the private key.

    openssl genrsa -out my-passless-private.key 4096
    • 5

  8. To generate PEM certificate without passphrase:

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 10000 -nodes

    • 0

  9. To generate a self signed cert for testing:

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-days 365 -sha256

    Then remove the password from the key via

    openssl rsa -in key.pem -out nopass.pem

    This answers is from: https://actix.rs/docs/server/. This answer completes https://serverfault.com/a/662445/113360 above with a preceding step.

    • -1