Is it possible to generate RSA key without pass phrase?

Posted on

Is it possible to generate RSA key without pass phrase? – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, https, openssl, passphrase, .

I’m working with Apache2 and Passenger for a Rails project.
I would like to create a self-signed SSL Certificate for testing purposes.

sudo openssl rsa -des3 -in server.key -out server.key.new

When i enter the above command, it says

writing RSA key
Enter PEM pass phrase:

If i do not enter the pass phrse, im getting the below error

unable to write key
3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo
u must type in 4 to 1024 characters
3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor
d:pem_lib.c:111:
3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382

Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).

If you are generating a self signed cert, you can do both the key and cert in one command like so:

openssl req  -nodes -new -x509  -keyout server.key -out server.cert

Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

Leave off the -des3 flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn’t a new key at all – it’s exactly the same as server.key, only with the passphrase changed/stripped off).

The openssl req command from the answer by @Tom H is correct to create a self-signed certificate in server.cert incl. a password-less RSA private key in server.key:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Here is how it works. Omitting -des3 as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa (“convert a private key”) command referred to by @MadHatter and the openssl genrsa (“create a private key”) command. Just not for for the openssl req command here. We additionally need -nodes (“No DES encryption of server.key please!”).

Use the -nodes parameter, if this option is specified then the private key will not be encrypted, e.g.:

openssl 
    req 
    -nodes 
    -newkey rsa:2048 
    -keyout www.example.com.key 
    -out www.example.com.csr 
    -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com"

Leave a Reply

Your email address will not be published.