Skip to content

How to Skip PassPhrase Dialog

Enter SSL Pass Phrase

If you have ever provided a passphrase while creating a private key for SSL configuration, then you are required to enter passphrase every time restarting httpd service.

[root@test ~]# systemctl restart httpd
Enter SSL pass phrase for (RSA) : ********

This could be annoying during configuring and testing your web server. Worse, you have no change to enter the passphrase if system reboot is scheduled as a cron job.

There're two methods to stop prompting passphrase entering dialog.

Remove PassPhrase from Private Key

Here we generate another RSA key by openssl without specifying any encryption options.

[root@test ~]# openssl rsa -in /etc/pki/tls/private/ -out /etc/pki/tls/private/
Enter pass phrase for /etc/pki/tls/private/
writing RSA key

As you can see, we have an output file which is the PKI without passphrase.

Then we use the no-passphrase PKI as our key file.

[root@test ~]# vi /etc/httpd/conf/httpd.conf
#SSLCertificateKeyFile /etc/pki/tls/private/
SSLCertificateKeyFile /etc/pki/tls/private/

Now, you can restart httpd server without prompting the passphrase dialog.

Please note that, an unencrypted private key may add some security risk to your server. However, it's convenient during system testing phase. Besides, you can switch it back afterward.

Provide PassPhrase in Advance

To provide the passphrase, you have to create a file to echo it.

[root@test ~]# vi /etc/httpd/passphrase
echo "Your_Passphrase_Goes_Here"

Please note that, if your passphrase contains any special character, for example, a dollar sign ($) or a semi-colon (;), you have to use back slash (\) to escape it. Otherwise, the service fails to start.

Then make it executable.

[root@test ~]# chmod u+x /etc/httpd/passphrase

Go back to SSL configuration file, and replace the dialog file at around line 18 with the new file.

[root@test ~]# vi /etc/httpd/conf.d/ssl.conf -c "se nu"
     18 #SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
     19 SSLPassPhraseDialog exec:/etc/httpd/passphrase

It's done.

Leave a Reply

Your email address will not be published. Required fields are marked *