179

I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes. 

sudo openssl rsa -des3 -in server.key -out server.key.new

When i enter the above command, it says

writing RSA key
Enter PEM pass phrase:

If i do not enter the pass phrse, im getting the below error

unable to write key
3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo
u must type in 4 to 1024 characters
3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor
d:pem_lib.c:111:
3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382

Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).

diya
  • 1,943

9 Answers9

193

If you are generating a self signed cert, you can do both the key and cert in one command like so:

openssl req  -nodes -new -x509  -keyout server.key -out server.cert

Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

Community
  • 1
Tom
  • 11,611
64

Leave off the -des3 flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn't a new key at all - it's exactly the same as server.key, only with the passphrase changed/stripped off).

MadHatter
  • 81,580
45

The openssl req command from the answer by @Tom is correct to create a self-signed certificate in server.cert incl. a password-less RSA private key in server.key:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Here is how it works. Omitting -des3 as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa ("convert a private key") command referred to by @MadHatter and the openssl genrsa ("create a private key") command. Just not for for the openssl req command here. We additionally need -nodes ("No DES encryption of server.key please!").

tanius
  • 708
44

Use the -nodes parameter, if this option is specified then the private key will not be encrypted, e.g.:

openssl \
    req \
    -nodes \
    -newkey rsa:2048 \
    -keyout www.example.com.key \
    -out www.example.com.csr \
    -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com"
panticz
  • 881
20

Adding -nodes to the 'openssl req' allows an unencrypted (no passphrase) private key to be generated from the 'openssl req' command.

The -nodes flag means "No DES": i.e., not encrypting the private key.

Saikat
  • 111
David Roe
  • 301
14

Just run it again through openssl

first generate the key with the passphrase

then openssl rsa -in server.key -out server.key

darethas
  • 265
5

Use the next command to generate password-less private key file with NO encryption. The last parameter is the size of the private key.

openssl genrsa -out my-passless-private.key 4096
nix
  • 159
  • 1
  • 3
0

To generate PEM certificate without passphrase:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 10000 -nodes

Jianwu Chen
  • 101
-1

To generate a self signed cert for testing:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-days 365 -sha256

Then remove the password from the key via

openssl rsa -in key.pem -out nopass.pem

This answers is from: https://actix.rs/docs/server/. This answer completes https://serverfault.com/a/662445/113360 above with a preceding step.

tjb
  • 135