jayatallen
asked on
avoid passphase while generating csr file using openssl
Hi,
I need to renew SSL certificate for a web application. Current SSL certificate is going to expire.
What iam doing:
As already i have SSL certificate installed, i dont need to create a private key.
I am trying to create CSR file only using the below command:
openssl req –new –key <current private key file name>.key –out <csr file name>.csr
When i type above command it prompts for
Enter pass phrase for absolute Location of /server.key
Now i dont know the passpharse.
My question,if the current private key has passpharse ,how i can find that out?
Secondly, this apache starts automatically after reboot.
I mean i heard,if there is passphrase in private key file,while starting apache it prompts for to enter the passpharse. As this apache starts automatically, no one is available to enter the passpharse.
My confusion, do i have passpharse enabled in private key or not?
as above command is asking for passpharse i think there is passphrase but at the same time this apache starts automatically after reboot and on one enter the passphrase..
Iam confused.
Please help.
Thank you
I need to renew SSL certificate for a web application. Current SSL certificate is going to expire.
What iam doing:
As already i have SSL certificate installed, i dont need to create a private key.
I am trying to create CSR file only using the below command:
openssl req –new –key <current private key file name>.key –out <csr file name>.csr
When i type above command it prompts for
Enter pass phrase for absolute Location of /server.key
Now i dont know the passpharse.
My question,if the current private key has passpharse ,how i can find that out?
Secondly, this apache starts automatically after reboot.
I mean i heard,if there is passphrase in private key file,while starting apache it prompts for to enter the passpharse. As this apache starts automatically, no one is available to enter the passpharse.
My confusion, do i have passpharse enabled in private key or not?
as above command is asking for passpharse i think there is passphrase but at the same time this apache starts automatically after reboot and on one enter the passphrase..
Iam confused.
Please help.
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And yes if your apache starts automatically and certificate is working fine then there is no password on your private key.
ASKER
Hi a1j,
the command you have given
openssl rsa -in privkey.pem -out nopasswdkey.pem
is for generating a new CSR file which will be send to Verisign?
and using that CSR they will send back CRT?
could you please tell what is :
privkey.pem ....path of the current private key?
the command you have given
openssl rsa -in privkey.pem -out nopasswdkey.pem
is for generating a new CSR file which will be send to Verisign?
and using that CSR they will send back CRT?
could you please tell what is :
privkey.pem ....path of the current private key?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi a1j,
below is what i see in ssl.conf file:
SSLCertificateFile /apps/compass/deployment/a pache/conf /ssl.crt/s erver.crt
SSLCertificateKeyFile /apps/compass/deployment/a pache/conf /ssl.key/s erver.key
SSLCertificateChainFile /apps/compass/deployment/a pache/conf /ssl.crt/c a.crt
So, what i am doing is trying to generate a CSR file so i can send it to Versign..i ran the above command and its asking for password ..dont know why..and at the sametime this apache comes up automatically after reboot.
I think iam confusing..sorry for being ignorance..I tried you given command:
openssl req -new -key privkey.pem -out mysite.csr
privkey.pem ...is server.key for me. as i can see key name is "server.key" in ssl.conf but i throwing error..
/usr/local/ssl/bin/openssl req -new server.key -out server.csr
unknown option server.key
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-out arg output file
-text text form of request
-pubkey output public key
-noout do not output REQ
-verify verify signature on REQ
-modulus RSA modulus
-nodes don't encrypt the output key
-engine e use engine e, possibly a hardware device
-subject output the request's subject
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
below is what i see in ssl.conf file:
SSLCertificateFile /apps/compass/deployment/a
SSLCertificateKeyFile /apps/compass/deployment/a
SSLCertificateChainFile /apps/compass/deployment/a
So, what i am doing is trying to generate a CSR file so i can send it to Versign..i ran the above command and its asking for password ..dont know why..and at the sametime this apache comes up automatically after reboot.
I think iam confusing..sorry for being ignorance..I tried you given command:
openssl req -new -key privkey.pem -out mysite.csr
privkey.pem ...is server.key for me. as i can see key name is "server.key" in ssl.conf but i throwing error..
/usr/local/ssl/bin/openssl
unknown option server.key
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-out arg output file
-text text form of request
-pubkey output public key
-noout do not output REQ
-verify verify signature on REQ
-modulus RSA modulus
-nodes don't encrypt the output key
-engine e use engine e, possibly a hardware device
-subject output the request's subject
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
You forgot --key switch before your private key.
ASKER
Still its prompting for the password;
bash-3.00$ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
aborted!
unable to load Private Key
2853:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:
I am 100% sure, this apache is restarts automatically every sunday with machine reboot.
wonder how it comes up, because i heard if there is passphase in ssl key,while starting apache it prompts for it.
bash-3.00$ /usr/local/ssl/bin/openssl
Enter pass phrase for server.key:
aborted!
unable to load Private Key
2853:error:0906A068:PEM routines:PEM_do_header:bad
I am 100% sure, this apache is restarts automatically every sunday with machine reboot.
wonder how it comes up, because i heard if there is passphase in ssl key,while starting apache it prompts for it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you for your reply...
i know i am looking at right apache..because i checked the certificate in browser and then using the below command, i read it on command line and both have same content..
/usr/local/ssl/bin/openssl x509 -text -in server.crt
Not sure why its happening..was kind of urgent..so i created new private key without passpharse and crt..
for private key without passpharse:
openssl genrsa –out <private key file name>.key 2048
for cert:
openssl req –new –key <private key file name>.key –out <csr file name>.csr
i know i am looking at right apache..because i checked the certificate in browser and then using the below command, i read it on command line and both have same content..
/usr/local/ssl/bin/openssl
Not sure why its happening..was kind of urgent..so i created new private key without passpharse and crt..
for private key without passpharse:
openssl genrsa –out <private key file name>.key 2048
for cert:
openssl req –new –key <private key file name>.key –out <csr file name>.csr