====== Apache - Certificates - Use password protected certificates ====== A lot of people remove the passphrase from their own key files because it is the simplest solution, but security-wise, it is not the best idea. An alternative is to feed the passphrase to Apache. * This can be done with the **SSLPassPhraseDialog** option in the httpd.conf (or another file that it includes). If you only have one SSL site on your server, the simplest form of this would be: # either of these will work SSLPassPhraseDialog |/path/to/passphrase-script SSLPassPhraseDialog exec:/path/to/passphrase-script Then create a very simple script called **/path/to/passphrase-script** that contains something like the following: #!/bin/sh echo "put the passphrase here" **WARNING**: As this script would contain the actual passphrase, it needs to be securely locked-down. **NOTE:** When starting up, Apache will take the output of this script and use it as the passphrase for the SSL key. * If you have multiple SSL sites, **SSLPassPhraseDialog** has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.