How to Generate RSA Private Key Without Passphrase for Apache/Passenger Deployment


2 views

When setting up SSL for development environments, password-protected private keys create an operational bottleneck. The standard OpenSSL command:

openssl genrsa -des3 -out server.key 2048

Forces passphrase entry, causing problems with:

  • Automated server restarts
  • CI/CD pipeline execution
  • Containerized deployments

For testing environments where security requirements are relaxed, use either of these approaches:

# Method 1: Generate unprotected key from scratch
openssl genrsa -out server.key 2048

# Method 2: Remove passphrase from existing key
openssl rsa -in server.key.original -out server.key.unprotected

When using unprotected keys:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/server.key.unprotected
    # Require SSL verification only in production
    SSLVerifyClient optional_no_ca  
</VirtualHost>

While convenient for development, always implement proper security in production:

  • Store protected keys in hardware security modules
  • Use configuration management tools to handle passphrase entry
  • Consider Let's Encrypt for valid certificates

For Rails apps using Passenger:

# In passenger.conf
passenger_startup_file /path/to/start_ssl.sh

# Sample startup script
#!/bin/bash
echo "yourpassphrase" | openssl rsa -in secure.key -passin stdin -out runtime.key
exec bundle exec passenger start

When setting up SSL for Apache with Passenger (commonly used for Rails deployments), you'll typically generate a private key with:

openssl genrsa -des3 -out server.key 2048

This forces you to enter a passphrase - which becomes problematic for automated server restarts since Apache can't prompt for the passphrase during boot.

To create an RSA key without passphrase protection:

openssl genrsa -out server.key 2048

The critical difference is omitting the -des3 flag which enables encryption. This generates an unprotected private key that Apache can use without manual intervention.

While convenient for development, unprotected keys pose security risks in production:

  • Anyone gaining server access can steal the key
  • No protection against unauthorized use
  • Consider using passphrases in production with key decryption at startup

If you already have an encrypted key but need to remove the passphrase:

openssl rsa -in encrypted.key -out unprotected.key

This outputs an unprotected version while keeping the original encrypted file.

In your Apache SSL configuration (httpd-ssl.conf or equivalent):

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/server.crt
    SSLCertificateKeyFile /path/to/server.key
    # Other SSL directives...
</VirtualHost>

With an unprotected key, Apache won't prompt for a passphrase during startup.

For CI/CD pipelines or automated deployments:

  • Store unprotected keys securely in your deployment system
  • Set strict file permissions (600) on the key file
  • Consider using environment variables for sensitive data

Full self-signed certificate generation without passphrase:

# Generate private key
openssl genrsa -out server.key 2048

# Create CSR
openssl req -new -key server.key -out server.csr

# Generate self-signed cert
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This gives you all components needed for SSL configuration without passphrase prompts.

For production environments, consider:

  • Using Let's Encrypt for trusted certificates
  • Implementing proper key management solutions
  • Regular key rotation policies
  • Hardware security modules (HSMs) for critical systems