avoid passphase while generating csr file using openssl

Posted on 2011-05-03
Last Modified: 2012-08-14

I need to renew SSL certificate for a web application. Current SSL certificate is going to expire.
What iam doing:
As already i have SSL certificate installed, i dont need to create a private key.
I am trying to create CSR file only using the below command:
openssl req –new –key <current private key file name>.key –out <csr file name>.csr

When i type above command it prompts for
Enter pass phrase for absolute Location of /server.key

Now i dont know the passpharse.
My question,if the current private key has passpharse ,how i can find that out?
Secondly, this apache starts automatically after reboot.
I mean i heard,if there is passphrase in private key file,while starting apache it prompts for to enter the passpharse. As this apache starts automatically, no one is available to enter the passpharse.

My confusion, do i have passpharse enabled in private key or not?
as above command is asking for passpharse i think there is passphrase but at the same time this apache starts automatically after reboot and on one enter the passphrase..
Iam confused.

Please help.
Thank you
Question by:jayatallen
    LVL 4

    Accepted Solution

    The new versions of openssl wont let you to create private key without passphrase.

    However it can be easily removed with this command:

     openssl rsa -in  privkey.pem -out nopasswdkey.pem

    If you run this command and it asks you for a passphrase then obviously you private key has one.

    If you forgot passprase you need to start from scratch.
    LVL 4

    Expert Comment

    And yes if your apache starts automatically and certificate is working fine then there is no password on your private key.

    Author Comment

    Hi a1j,

    the command you have given
     openssl rsa -in  privkey.pem -out nopasswdkey.pem

    is for generating a new CSR file which will be send to Verisign?
    and using that CSR they will send back CRT?

    could you please tell what is :
     privkey.pem  ....path of the current private key?
    LVL 4

    Assisted Solution

    No the command to generate CSR will looks like this

    openssl req -new -key privkey.pem -out mysite.csr

    mysite.csr is resulting cert request

    privkey.pem is where your privkey is stored.
    When you will be answering questions you need to enter your website domain in "Common name" fiels but i do believe that verisign should have documentation of how to do this.

    After you get certificate (it should be Base64 encoded) you need to store it in the file that your apache server uses for certificate.

    To find out where is your private key and certificate look at the apache config.

    Author Comment

    Hi a1j,

    below is what i see in ssl.conf file:
    SSLCertificateFile /apps/compass/deployment/apache/conf/ssl.crt/server.crt

    SSLCertificateKeyFile /apps/compass/deployment/apache/conf/ssl.key/server.key

    SSLCertificateChainFile /apps/compass/deployment/apache/conf/ssl.crt/ca.crt

    So, what i am doing is trying to generate a CSR file so i can send it to Versign..i ran the above command and its asking for password ..dont know why..and at the sametime this apache comes up automatically after reboot.

    I think iam confusing..sorry for being ignorance..I tried you given command:
    openssl req -new -key privkey.pem -out mysite.csr

     privkey.pem server.key for me. as i can see key name is "server.key" in ssl.conf  but i throwing error..

    /usr/local/ssl/bin/openssl req -new server.key -out server.csr

    unknown option server.key
    req [options] <infile >outfile
    where options  are
     -inform arg    input format - DER or PEM
     -outform arg   output format - DER or PEM
     -in arg        input file
     -out arg       output file
     -text          text form of request
     -pubkey        output public key
     -noout         do not output REQ
     -verify        verify signature on REQ
     -modulus       RSA modulus
     -nodes         don't encrypt the output key
     -engine e      use engine e, possibly a hardware device
     -subject       output the request's subject
     -passin        private key password source
     -key file      use the private key contained in file
     -keyform arg   key file format
     -keyout arg    file to send the key to
     -rand file:file:...
                    load the file (or the files in the directory) into
                    the random number generator
     -newkey rsa:bits generate a new RSA key of 'bits' in size
     -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'

    LVL 4

    Expert Comment

    You forgot --key switch before your private key.

    Author Comment

    Still its prompting for the password;
    bash-3.00$ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr
    Enter pass phrase for server.key:
    unable to load Private Key
    2853:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:

    I am 100% sure, this apache is restarts automatically every sunday with machine reboot.
    wonder how it comes up, because i heard if there is passphase in ssl key,while starting apache it prompts for it.
    LVL 4

    Assisted Solution

    There can be 4 cases here
    1. The key has empty password, you just have to hit enter.
    2. You are looking at the wrong apache config, the key is somewhere else.
    3. The key does have password but it is stored in some config file. for example here:

     grep _password /etc/ssl/openssl.cnf
    # input_password = secret
    # output_password = secret

    4. the key is encrypted and apache asks for its password during startup (i e it has to be started manually for that).


    Author Comment

    thank you for your reply...
    i know i am looking at right apache..because i checked the certificate in browser and then using the below command, i read it on command line and both have same content..
    /usr/local/ssl/bin/openssl x509 -text  -in server.crt

    Not sure why its happening..was kind of i created new private key without passpharse and crt..
    for private key without passpharse:
    openssl genrsa  –out <private key file name>.key 2048

    for cert:
    openssl req –new –key <private key file name>.key –out <csr file name>.csr

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting ( to http…
    Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now