I just set up a secure server. Followed the godaddy instructions for key generation/installation - and the server wanted my pass phrase to start. When I started developing I followed instructions for a self signed cert and everything went dandy. Anyway - after a little googling and an uneasy feeling that I messed up and godaddy might charge me a fee to resubmit for a new cert, I found the following solution - openssl rsa -in secure.shastaherps.key.old -out secure.shastaherps.key After running that and entering my pass phrase, no pass phrase is required to start the server and it seems like the browsers don't complain, so I think I'm set, but I thought I'd verify that all really is well and that doing that isn't going to cause any issues. If I understand it correctly, the phrase was needed when Apache starts in order to decrypt the key, and all I did above was decrypt the key so that apache doesn't have to, correct?
Michael A. Peters wrote:> openssl rsa -in secure.shastaherps.key.old -out secure.shastaherps.key > > After running that and entering my pass phrase, no pass phrase is > required to start the server and it seems like the browsers don't > complain, so I think I'm set, but I thought I'd verify that all really > is well and that doing that isn't going to cause any issues.I've been doing that for years and it works fine so I think your good to go. nate
On Fri, 3 Apr 2009, Michael A. Peters wrote:> After running that and entering my pass phrase, no pass phrase is > required to start the server and it seems like the browsers don't > complain, so I think I'm set, but I thought I'd verify that all > really is well and that doing that isn't going to cause any issues. > > If I understand it correctly, the phrase was needed when Apache > starts in order to decrypt the key, and all I did above was decrypt > the key so that apache doesn't have to, correct?You are correct. As long as you can guarantee limited access to the file containing the key, then storing it in decrypted form is probably worth the risk. On a server with untrusted users, however, I'd keep it decrypted. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Reasonably Related Threads
- cannot start or stop apache due to ssl changes
- DNS is confusing! (I really need some help understanding!)
- LUKS encypted partition using --key-file can only be decrypted with --key-file
- OT -Recommendations relating to a Password Safe
- Phrase Query vs AND Query? Why don't these find the same things?