Created
January 12, 2013 15:39
-
-
Save geedelur/4518521 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The typical process for creating an SSL certificate is as follows: | |
| # openssl genrsa -des3 -out www.key 2048 | |
| Note: When creating the key, you can avoid entering the initial passphrase altogether using: | |
| # openssl genrsa -out www.key 2048 | |
| At this point it is asking for a PASS PHRASE (which I will describe how to remove): | |
| Enter pass phrase for www.key: | |
| # openssl req -new -key www.key -out www.csr | |
| Next, you will typically send the www.csr file to your registrar. In turn, your registrar will provide you with the .crt (certificate) file. | |
| From a security standpoint utilizing a passphrase, is a good thing, but from a practical standpoint not very useful. | |
| For instance, what happens when your server reboots/crashes at 3am? Or better, what happens in 6 months when you reboot your machine, and you don’t remember the password? Well, one thing is for sure, your web server will not be online. | |
| I suggest removal of the passphrase, you can follow the process below: | |
| Always backup the original key first (just in case)! | |
| # cp www.key www.key.orig | |
| Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process: | |
| # openssl rsa -in www.key -out new.key | |
| Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment