LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-19-2012, 11:51 PM   #1
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Rep: Reputation: 8
Removing a Passphrase from a key


I was reading about making a certificate for a website on http://wiki.nginx.org/HttpSslModule#...e_Certificates. In the steps:
Now create the server private key, you'll be asked for a passphrase:
$ openssl genrsa -des3 -out server.key 1024

later it has:
Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key.

I understand about not wanting a passphrase, so the webserver can start without having to enter anything. But what I don't understand is how does this remove the passphrase? Does the -des3 Encryption still stay?
$ openssl rsa -in server.key.org -out server.key
 
Old 11-20-2012, 12:02 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
yes, it's a bit confusing. the -des option is for the output. since you don't have -des in the second command, the key will be outputted without being encrypted, although, you would be prompted for the pass phrase in order to read the previously encrypted key.
 
Old 11-20-2012, 03:18 AM   #3
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Original Poster
Rep: Reputation: 8
Why did they have me encrypt the key to begin with if they are removing the encryption later?
 
Old 11-20-2012, 03:35 AM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
i don't know, and it's more convoluted than it should be if you're going to use an unencrypted key. keep in mind that the instructions come from the wiki (which anyone can edit) and not from the official docs. but, maybe the intention is that you store the encrypted key somewhere outside the server as backup. the key size also looks a bit weak.
 
Old 11-20-2012, 04:20 AM   #5
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Original Poster
Rep: Reputation: 8
I don't intend to make a key with a passphrase. So I will just make the key as such:
openssl genrsa -aes256 4096 > server.key

Then I will make the csr:
openssl req -sha256 -new -key server.key -out server.csr

My question is....what is the -sha256 being used for?

Also, for the single session key that gets created dynamically...how do I specify what encryption I want to use? Can't I use AES for the stream encryption(single session key) since it is symmetric?
 
Old 11-20-2012, 10:53 PM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
I don't intend to make a key with a passphrase. So I will just make the key as such:
openssl genrsa -aes256 4096 > server.key
if you don't want an encrypted key, then you shouldn't specify the -aes256 encryption option.

regarding -sha256, the req man page says this:
Code:
       -[digest]
           this specifies the message digest to sign the request with (such as -md5, -sha1). This
           overrides the digest algorithm specified in the configuration file. For full list of
           possible digests see openssl dgst -h output.
i suppose the message digest would be used in verifying ("openssl req -verify -in server.csr") that the request has not been altered. you can see the digest of the request in the output of "openssl req -text -noout -in server.csr" (look for "Signature Algorithm").

if you're going to make a self-signed certificate, you can shorten the procedure to a single step. here, -sha256 specifies the digest algorithm for the certificate, not for the request, which does not even get produced with this command. the -nodes causes an unencrypted key to be outputted.
Code:
openssl req -new -x509 -sha256 -days 365 -nodes -newkey rsa:4096 -keyout server.key -out server.crt
Quote:
Also, for the single session key that gets created dynamically...how do I specify what encryption I want to use? Can't I use AES for the stream encryption(single session key) since it is symmetric?
that would have to be a cipher setting on nginx. but, a symmetric key is what is used for the session key. the (asymmetric) key you generate with openssl is used to exchange the session key between client and server.

Last edited by Berhanie; 11-20-2012 at 11:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cryptsetup - canīt open luks parittion - "no key available with this passphrase" ts0 Linux - Software 1 06-08-2013 11:46 AM
How to use USB key for passphrase for encrypted /Data? tommyttt Linux - General 1 05-18-2011 02:37 AM
Cracking a gpg pgp key (passphrase) DaRkBoDoM Linux - Security 1 11-20-2007 03:32 AM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 03:20 AM
ssh / ssh-key -- its always asking for passphrase BaerRS Linux - General 1 01-07-2003 06:21 PM


All times are GMT -5. The time now is 08:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration