Apache - Certificates - Use password protected certificates

A lot of people remove the passphrase from their own key files because it is the simplest solution, but security-wise, it is not the best idea.

An alternative is to feed the passphrase to Apache.

If you only have one SSL site on your server, the simplest form of this would be:

/etc/apache2/httpd.conf
# either of these will work
SSLPassPhraseDialog |/path/to/passphrase-script
SSLPassPhraseDialog exec:/path/to/passphrase-script

Then create a very simple script called /path/to/passphrase-script that contains something like the following:

/path/to/passphrase-script
#!/bin/sh
echo "put the passphrase here"

WARNING: As this script would contain the actual passphrase, it needs to be securely locked-down.

NOTE: When starting up, Apache will take the output of this script and use it as the passphrase for the SSL key.

  • If you have multiple SSL sites, SSLPassPhraseDialog has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.