avoid passphase while generating csr file using openssl


I need to renew SSL certificate for a web application. Current SSL certificate is going to expire.
What iam doing:
As already i have SSL certificate installed, i dont need to create a private key.
I am trying to create CSR file only using the below command:
openssl req –new –key <current private key file name>.key –out <csr file name>.csr

When i type above command it prompts for
Enter pass phrase for absolute Location of /server.key

Now i dont know the passpharse.
My question,if the current private key has passpharse ,how i can find that out?
Secondly, this apache starts automatically after reboot.
I mean i heard,if there is passphrase in private key file,while starting apache it prompts for to enter the passpharse. As this apache starts automatically, no one is available to enter the passpharse.

My confusion, do i have passpharse enabled in private key or not?
as above command is asking for passpharse i think there is passphrase but at the same time this apache starts automatically after reboot and on one enter the passphrase..
Iam confused.

Please help.
Thank you
Who is Participating?
The new versions of openssl wont let you to create private key without passphrase.

However it can be easily removed with this command:

 openssl rsa -in  privkey.pem -out nopasswdkey.pem

If you run this command and it asks you for a passphrase then obviously you private key has one.

If you forgot passprase you need to start from scratch.
And yes if your apache starts automatically and certificate is working fine then there is no password on your private key.
jayatallenAuthor Commented:
Hi a1j,

the command you have given
 openssl rsa -in  privkey.pem -out nopasswdkey.pem

is for generating a new CSR file which will be send to Verisign?
and using that CSR they will send back CRT?

could you please tell what is :
 privkey.pem  ....path of the current private key?
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

No the command to generate CSR will looks like this

openssl req -new -key privkey.pem -out mysite.csr

mysite.csr is resulting cert request

privkey.pem is where your privkey is stored.
When you will be answering questions you need to enter your website domain in "Common name" fiels but i do believe that verisign should have documentation of how to do this.

After you get certificate (it should be Base64 encoded) you need to store it in the file that your apache server uses for certificate.

To find out where is your private key and certificate look at the apache config.
jayatallenAuthor Commented:
Hi a1j,

below is what i see in ssl.conf file:
SSLCertificateFile /apps/compass/deployment/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile /apps/compass/deployment/apache/conf/ssl.key/server.key

SSLCertificateChainFile /apps/compass/deployment/apache/conf/ssl.crt/ca.crt

So, what i am doing is trying to generate a CSR file so i can send it to Versign..i ran the above command and its asking for password ..dont know why..and at the sametime this apache comes up automatically after reboot.

I think iam confusing..sorry for being ignorance..I tried you given command:
openssl req -new -key privkey.pem -out mysite.csr

 privkey.pem ...is server.key for me. as i can see key name is "server.key" in ssl.conf  but i throwing error..

/usr/local/ssl/bin/openssl req -new server.key -out server.csr

unknown option server.key
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file:file:...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'

You forgot --key switch before your private key.
jayatallenAuthor Commented:
Still its prompting for the password;
bash-3.00$ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
unable to load Private Key
2853:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:

I am 100% sure, this apache is restarts automatically every sunday with machine reboot.
wonder how it comes up, because i heard if there is passphase in ssl key,while starting apache it prompts for it.
There can be 4 cases here
1. The key has empty password, you just have to hit enter.
2. You are looking at the wrong apache config, the key is somewhere else.
3. The key does have password but it is stored in some config file. for example here:

 grep _password /etc/ssl/openssl.cnf
# input_password = secret
# output_password = secret

4. the key is encrypted and apache asks for its password during startup (i e it has to be started manually for that).

jayatallenAuthor Commented:
thank you for your reply...
i know i am looking at right apache..because i checked the certificate in browser and then using the below command, i read it on command line and both have same content..
/usr/local/ssl/bin/openssl x509 -text  -in server.crt

Not sure why its happening..was kind of urgent..so i created new private key without passpharse and crt..
for private key without passpharse:
openssl genrsa  –out <private key file name>.key 2048

for cert:
openssl req –new –key <private key file name>.key –out <csr file name>.csr
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.