Auto insert password for a Trusted SSL Certificate / Automatically enter password for an SSL Certificate during Apache startup on Debian Lenny

Friday, 26th March 2010

Protect-Your-Private-SSL_keys-Apache-howto
I've recently installed a Trusted certificate that I've previously protected with a pass-phrase to an Apache server running on top of Debian in order to have a better security.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted.To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page

There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :

SSLPassPhraseDialog exec:/etc/apache2/mods-available/passphrase

The above code must replace:

SSLPassPhraseDialog builtin

Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:

#!/bin/sh
echo "yoursecretpassword"

Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:

debian:~# chown www-data:www-data /etc/apache2/mods-available/passphrase
debian:~# chmod 700 /etc/apache2/mods-available/passphrase

That should be it, Restart Apache and make sure Apache is properly loaded without anySSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.

 

   

If you haven't already added a password to your private key during certficate generation time,

Of course you can add/remove a passphrase at a later time.

    add one (assuming it was an rsa key, else use dsa)

    openssl rsa -des3 -in your.key -out your.encrypted.key
    mv your.encrypted.key your.key

    the -des3 tells openssl to encrypt the key with DES3.

    remove it

    openssl rsa -in your.key -out your.open.key

    you will be asked for your passphrase one last time
    by omitting the -des3 you tell openssl to not encrypt the output.

    mv your.open.key your.key

 

Share this on:

Download PDFDownload PDF

Tags: , , , , , , , , , , , ,

4 Responses to “Auto insert password for a Trusted SSL Certificate / Automatically enter password for an SSL Certificate during Apache startup on Debian Lenny”

  1. Rob says:
    Firefox 3.0.4 Firefox 3.0.4 Mac OS X 10.5 Mac OS X 10.5
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

    Hi There

    Thanks for sharing this and explaining it step by step with your code, without over complicating it and missing out basic but vital stuff like so many other people seem to do!

    Please feel free to give me a shout if ever you are stuck, and if its an obstacle I have encountered then I will gladly reciprocate your help!

    All the best.
    Rob

    View CommentView Comment
    • admin says:
      Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux Debian GNU/Linux
      Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

      Hey I’m glad you like it, will be seeing you around 🙂

      View CommentView Comment
  2. Floyd Corrow says:
    Firefox 3.5.3 Firefox 3.5.3 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    Having been just looking at pertinent blog articles for my project research when I happened to stumble on yours. Thanks for this valuable material!

    View CommentView Comment
  3. Alex says:
    Safari 5.1.1 Safari 5.1.1 Mac OS X 10.7.2 Mac OS X 10.7.2
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22

    Thanks for article. Just one recommendation – leave privileges root:root for passphrase file. I’ve just checked at it works good as well but this way at least only root can view the password.

    View CommentView Comment

Leave a Reply

CommentLuv badge