User Tools

Site Tools


apache:certificates:use_password_protected_certificates

Apache - Certificates - Use password protected certificates

A lot of people remove the passphrase from their own key files because it is the simplest solution, but security-wise, it is not the best idea.

An alternative is to feed the passphrase to Apache.

  • This can be done with the SSLPassPhraseDialog option in the httpd.conf (or another file that it includes).

If you only have one SSL site on your server, the simplest form of this would be:

/etc/apache2/httpd.conf
# either of these will work
SSLPassPhraseDialog |/path/to/passphrase-script
SSLPassPhraseDialog exec:/path/to/passphrase-script

Then create a very simple script called /path/to/passphrase-script that contains something like the following:

/path/to/passphrase-script
#!/bin/sh
echo "put the passphrase here"

WARNING: As this script would contain the actual passphrase, it needs to be securely locked-down.

NOTE: When starting up, Apache will take the output of this script and use it as the passphrase for the SSL key.

  • If you have multiple SSL sites, SSLPassPhraseDialog has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.
apache/certificates/use_password_protected_certificates.txt · Last modified: 2023/07/17 11:08 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki