Removing a Passphrase from a key

dman777 · 11-19-2012, 11:51 PM

I was reading about making a certificate for a website on http://wiki.nginx.org/HttpSslModule#...e_Certificates. In the steps:
Now create the server private key, you'll be asked for a passphrase:
$ openssl genrsa -des3 -out server.key 1024

later it has:
Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key.

I understand about not wanting a passphrase, so the webserver can start without having to enter anything. But what I don't understand is how does this remove the passphrase? Does the -des3 Encryption still stay?
$ openssl rsa -in server.key.org -out server.key

Berhanie · 11-20-2012, 12:02 AM

yes, it's a bit confusing. the -des option is for the output. since you don't have -des in the second command, the key will be outputted without being encrypted, although, you would be prompted for the pass phrase in order to read the previously encrypted key.

dman777 · 11-20-2012, 03:18 AM

Why did they have me encrypt the key to begin with if they are removing the encryption later?

Berhanie · 11-20-2012, 03:35 AM

i don't know, and it's more convoluted than it should be if you're going to use an unencrypted key. keep in mind that the instructions come from the wiki (which anyone can edit) and not from the official docs. but, maybe the intention is that you store the encrypted key somewhere outside the server as backup. the key size also looks a bit weak.

dman777 · 11-20-2012, 04:20 AM

I don't intend to make a key with a passphrase. So I will just make the key as such:
openssl genrsa -aes256 4096 > server.key

Then I will make the csr:
openssl req -sha256 -new -key server.key -out server.csr

My question is....what is the -sha256 being used for?

Also, for the single session key that gets created dynamically...how do I specify what encryption I want to use? Can't I use AES for the stream encryption(single session key) since it is symmetric?

Berhanie · 11-20-2012, 10:53 PM

Quote:

I don't intend to make a key with a passphrase. So I will just make the key as such:
openssl genrsa -aes256 4096 > server.key

if you don't want an encrypted key, then you shouldn't specify the -aes256 encryption option.

regarding -sha256, the req man page says this:

Code:

       -[digest]
           this specifies the message digest to sign the request with (such as -md5, -sha1). This
           overrides the digest algorithm specified in the configuration file. For full list of
           possible digests see openssl dgst -h output.

i suppose the message digest would be used in verifying ("openssl req -verify -in server.csr") that the request has not been altered. you can see the digest of the request in the output of "openssl req -text -noout -in server.csr" (look for "Signature Algorithm").

if you're going to make a self-signed certificate, you can shorten the procedure to a single step. here, -sha256 specifies the digest algorithm for the certificate, not for the request, which does not even get produced with this command. the -nodes causes an unencrypted key to be outputted.

Code:

openssl req -new -x509 -sha256 -days 365 -nodes -newkey rsa:4096 -keyout server.key -out server.crt

Quote:

Also, for the single session key that gets created dynamically...how do I specify what encryption I want to use? Can't I use AES for the stream encryption(single session key) since it is symmetric?

that would have to be a cipher setting on nginx. but, a symmetric key is what is used for the session key. the (asymmetric) key you generate with openssl is used to exchange the session key between client and server.