181

I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes. 

sudo openssl rsa -des3 -in server.key -out server.key.new

When i enter the above command, it says

writing RSA key Enter PEM pass phrase:

If i do not enter the pass phrse, im getting the below error

unable to write key 3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo u must type in 4 to 1024 characters 3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor d:pem_lib.c:111: 3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382

Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).

Improve this question
2
  • 7
    Your command line tells openssl to encrypt an existing key. That sounds like something other than what you want. Commented Mar 5, 2012 at 8:41
  • 1
    Apache httpd can be configured to obtain the privatekey passphrase(s) noninteractively; see the doc for mod_ssl, or in many cases comments in the provided/packaged config file(s). However, this is usually no more secure than just leaving the privatekey unencrypted, which is simpler. Commented Apr 25, 2018 at 12:46

9 Answers 9

Reset to default
193

If you are generating a self signed cert, you can do both the key and cert in one command like so:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

Improve this answer
3
  • 44
    The nodes directive is why I'm here. (No DES encryption of private key) Commented Jan 24, 2017 at 23:15
  • 3
    If you want it to expire after 10 years, set -days 3650 Commented Aug 25, 2023 at 14:46
  • 3
    in 2025, -nodes is deprecated in favour of -noenc Commented Jan 3 at 16:50
64

Leave off the -des3 flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn't a new key at all - it's exactly the same as server.key, only with the passphrase changed/stripped off).

Improve this answer
0
45

The openssl req command from the answer by @Tom is correct to create a self-signed certificate in server.cert incl. a password-less RSA private key in server.key:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Here is how it works. Omitting -des3 as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa ("convert a private key") command referred to by @MadHatter and the openssl genrsa ("create a private key") command. Just not for for the openssl req command here. We additionally need -nodes ("No DES encryption of server.key please!").

Improve this answer
44

Use the -nodes parameter, if this option is specified then the private key will not be encrypted, e.g.:

openssl \ req \ -nodes \ -newkey rsa:2048 \ -keyout www.example.com.key \ -out www.example.com.csr \ -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/[email protected]"
Improve this answer
0
21

Adding -nodes to the 'openssl req' allows an unencrypted (no passphrase) private key to be generated from the 'openssl req' command.

The -nodes flag means "No DES": i.e., not encrypting the private key.

Improve this answer
3
  • 3
    This is exactly the right answer. The -nodes flag means "No DES": ie., no encrypting the private key. Commented Jul 25, 2020 at 18:19
  • TIL -nodes is "No DES" and not... "nodes". I feel super stupid now. Commented Apr 8 at 17:58
  • @mpowered Don't be. It's just terrible naming. Plus as of time of writing -nodes is now deprecated in favour of -noenc. Granted it probably has more to do "enc" being a more general (and hence more accurate) term, but I imagine the bad naming of -nodes didn't exactly help its case. Commented May 27 at 7:45
14

Just run it again through openssl

first generate the key with the passphrase

then openssl rsa -in server.key -out server.key

Improve this answer
8
  • 1
    This is not working on ubuntu 16.04 Commented May 9, 2016 at 20:19
  • 4
    I downvoted because this answer is not what was asked, also the command requires an input and doesn't generate a key. Commented Oct 11, 2016 at 13:37
  • 1
    The user already demonstrated they know how to generate a key. This answer builds on that knowledge, and I suggest to take the newly generated key and pass it again through openssl Hence achieving the goal of what was asked: generating a key without a pass phrase. Commented Oct 11, 2016 at 14:19
  • Works for me, openssl on Windows 10 from GitBash. Thanks for info. Commented May 14, 2017 at 21:11
  • cool it worked for my self signed cert Commented Aug 13, 2020 at 12:31
5

Use the next command to generate password-less private key file with NO encryption. The last parameter is the size of the private key.

openssl genrsa -out my-passless-private.key 4096
Improve this answer
4
  • 1
    This is NOT password-less. It is completely and entirely password-ful. Commented Apr 25, 2018 at 12:48
  • I was experimenting with position of the parameters. It is now OK. I changed the places of last two parameters and tested the command. Commented Apr 25, 2018 at 13:47
  • Now it produces an unencrypted file. Options after the (only) positional argument are ignored. Look at the file; it's not encrypted. Replace 4096 -des3 with 4096 -sillywombat and it still works and produces the same format, still unencrypted (but a different key value of course). There is no way to have a passwordless encrypted privatekey file, and correct solutions for a passwordless unencrypted file were given six years ago. Commented Apr 26, 2018 at 12:58
  • 1
    You are right. @dave_thompson_085. The last parameter doesn't any affect on the command. I updated my answer. It generate none encrypted base64 encoded and not password protected private key file. Commented Apr 26, 2018 at 14:16
0

To generate PEM certificate without passphrase:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 10000 -nodes

Improve this answer
-1

To generate a self signed cert for testing:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \ -days 365 -sha256

Then remove the password from the key via

openssl rsa -in key.pem -out nopass.pem

This answers is from: https://actix.rs/docs/server/. This answer completes https://serverfault.com/a/662445/113360 above with a preceding step.

Improve this answer
1
  • Or simpler use -nodes on req -newkey as was explained on multiple answers many many years ago. This not only does not add any positive value, it has negative value. Commented Jul 10, 2022 at 1:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.