View Source

Introduction

As explained in Apache and SSL Certificates, passphrase encryption requires an administrator's intervention whenever the service is started.

As such, the current standard for Web Servers, is to not use password encryption and instead rely on the file system to protect the keys.

Having said that, in some cases the administrator may want to use password encryption.

Generating Server Private Key with Password Encryption

su bhitch # Use a sudo enabled account.
cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -aes256 -out www.earth.com_server.key 2048

The openssl command reads,

genrsa - generate asymmetric keys
aes266- - protect the RSA key with a passphrase using CBC AES 256 symmetric key encyrption
2048 - make the RSA private key 2048 bit

As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC and 2048. Some CAs will no longer accept 1024.

Removing Password Encryption

To remove the password from the key file,

cp www.earth.com_server.key www.earth.com_server.key.bck # always good to backup first
openssl rsa -in www.earth.com_server.key -out www.earth.com_server.key.insecure
rm www.earth.com_server.key # delete the original file
mv www.earth.com_server.key.insecure www.earth.com_server.key