As explained in Apache and SSL Certificates, passphrase encryption requires an administrator's intervention whenever the service is started.
As such, the current standard for Web Servers, is to not use password encryption and instead rely on the file system to protect the keys.
Having said that, in some cases the administrator may want to use password encryption.
su bhitch # Use a sudo enabled account. cd ~ mkdir private sudo chmod 700 ./private cd private openssl genrsa -aes256 -out www.earth.com_server.key 2048 |
The openssl command reads,
As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC and 2048. Some CAs will no longer accept 1024. |
To remove the password from the key file,
cp www.earth.com_server.key www.earth.com_server.key.bck # always good to backup first openssl rsa -in www.earth.com_server.key -out www.earth.com_server.key.insecure rm www.earth.com_server.key # delete the original file mv www.earth.com_server.key.insecure www.earth.com_server.key |