This is a tip I picked up a while ago when I was implementing an
ssl certificate on Apache and Linux. I decided to use a pass phrase on
my key file, thinking that it would be better and more secure (more
secure is arguably true).


However, what I didn’t realize was that the pass phrase would be
needed every time Apache was started. This means that if the server has to restart for some reason you will have to manually enter the pass
phrase every time or Apache will not start.


I learned my lesson when the server I had put the ssl certificate on
went down in the night and then automatically restarted. Because Apache didn’t come back up automatically I got a call late in the night
wondering why the server was not working. I got connected to the server to quickly find that Apache wasn’t running simply because it wanted the pass phrase from the certificate in order to start.

It was at that point that I decided that it would be just better to
get rid of the pass phrase; the complications outweighed the benefits.
Luckily, pass phase removal is pretty easy and straightforward. It took a decent amount of digging around the web to find a
good answer, though.


Below is the process for removing a pass phrase from a key file.

First you will have to find where the key file you want to change is
located on your server, and then change to that directory on the command line. This will depend on the software and configuration but I keep mine in ‘/etc/httpd/conf/ssl.key’.

# cd /etc/httpd/conf/ssl.key

After that all you have to do is run the command below and then enter the pass phrase when prompted (replace ‘’ with the name of the key you want to change). WARNING: I would highly recommend backing up your existing key file before regenerating it.

# openssl rsa -in -out

Now you should be able to restart your server and be all set to go.


This was a good article that I found and used when setting up my secure server.

Article originally written by Jordon Mears, Software Architect.  Find more of Jordon’s writing at