Handling all of your technology needs

SSL/Apache pass-phrase dialog elimination

This document is a tiny HOWTO covering how to get rid of the SSL pass-phrase dialog at Apache startup

The reason why this dialog pops up at startup and every re-start is that the RSA private key inside 
your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed 
to be able to read and parse this file. When you can be sure that your server is secure enough you 
perform two steps:

1. Remove the encryption from the RSA private key (while preserving the original file):
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

2. Make sure the server.key file is now only readable by root (or webserver UID):
$ chmod 400 server.key

Now server.key will contain an unencrypted copy of the key. If you point your server at this file 
it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to 
impersonate you on the net. PLEASE make sure that the permissions on that file are really such 
that only root or the web server user can read it (preferably get your web server to start as 
root but run as another server, and have the key readable only by root).

As an alternative approach you can use the facility;

SSLPassPhraseDialog exec:/path/to/program

Keep in mind that this is neither more nor less secure.

Click here to go back to the help article index.