Differences

This shows you the differences between two versions of the page.

--- apache:certificates:use_password_protected_certificates [2023/07/17 11:06] – created peter
+++ apache:certificates:use_password_protected_certificates [2023/07/17 11:08] (current) – peter
@@ Line 1: / Line 1: @@
 ====== Apache - Certificates - Use password protected certificates ======
+A lot of people remove the passphrase from their own key files because it is the simplest solution, but security-wise, it is not the best idea.
+An alternative is to feed the passphrase to Apache.
+  * This can be done with the **SSLPassPhraseDialog** option in the httpd.conf (or another file that it includes).
+If you only have one SSL site on your server, the simplest form of this would be:
+<file bash /etc/apache2/httpd.conf>
+# either of these will work
+SSLPassPhraseDialog |/path/to/passphrase-script
+SSLPassPhraseDialog exec:/path/to/passphrase-script
+</file>
+Then create a very simple script called **/path/to/passphrase-script** that contains something like the following:
+<file bash /path/to/passphrase-script>
+#!/bin/sh
+echo "put the passphrase here"
+</file>
+<WRAP warning>
+**WARNING**:  As this script would contain the actual passphrase, it needs to be securely locked-down.
+</WRAP>
+<WRAP info>
+**NOTE:**  When starting up, Apache will take the output of this script and use it as the passphrase for the SSL key.
+  * If you have multiple SSL sites, **SSLPassPhraseDialog** has additional ways in which it can be used, so you can either have a single script for all of your keys, or a separate script for each, or however you want to do it.
+</WRAP>