Page tree
Skip to end of metadata
Go to start of metadata


As explained in Apache and SSL Certificates, passphrase encryption requires an administrator's intervention whenever the service is started.

As such, the current standard for Web Servers, is to not use password encryption and instead rely on the file system to protect the keys.

Having said that, in some cases the administrator may want to use password encryption.

Generating Server Private Key with Password Encryption

su bhitch # Use a sudo enabled account.
cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -aes256 -out 2048

The openssl command reads,

  • genrsa - generate asymmetric keys
  • aes266- - protect the RSA key with a passphrase using CBC AES 256 symmetric key encyrption 
  • 2048 - make the RSA private key 2048 bit

As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC and 2048. Some CAs will no longer accept 1024.

Removing Password Encryption

To remove the password from the key file,

cp # always good to backup first
openssl rsa -in -out
rm # delete the original file
  • No labels