Possibility of no keying phrase keys?

Dear SSL experts and aficionados and RH gurus,

I am hoping someone out there has a piece of arcane (to me)
knowledge...

(Running RH-7.3, apache-1.3.23-14, openssl-0.9.6b-18)

I note that during reboot (a rare event), some one trusted
has to be around to manually key in the pass phrase to the
server.key file - sometimes it waits for this, and sometimes not;
in either case, unattended, the httpd sits around waiting to start.

(I learned this the other day when a power outage convinced
my system to shut down, and it restarted when power resumed).

So my question is, is there a way to generate a key that does not
look for a pass phrase, or automagically pipe the contents of some
file, or some such work around, so that unattended, it can
come up and function as a server?

Any discussion of experience would be helpful

Many thanks.

--Dave

David F. Reed -> email: W5SV@arrl.net
(for pgp key: davereed@W5SV.org http://keys.pgp.com/ )


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Possibility of no keying phrase keys?

At 10:57 PM 7.26.2002 -0500, David F. Reed wrote:
>Dear SSL experts and aficionados and RH gurus,
>
>I am hoping someone out there has a piece of arcane (to me)
>knowledge...
>
>(Running RH-7.3, apache-1.3.23-14, openssl-0.9.6b-18)
>
>I note that during reboot (a rare event), some one trusted
>has to be around to manually key in the pass phrase to the
>server.key file - sometimes it waits for this, and sometimes not;
>in either case, unattended, the httpd sits around waiting to start.
>
>(I learned this the other day when a power outage convinced
>my system to shut down, and it restarted when power resumed).
>
>So my question is, is there a way to generate a key that does not
>look for a pass phrase, or automagically pipe the contents of some
>file, or some such work around, so that unattended, it can
>come up and function as a server?
>
>Any discussion of experience would be helpful
>
>Many thanks.
>
>--Dave
>

Not sure what OS you have, but I run FBSD and this is the method I use to
solve that:
To decrypt the Key:

First make a copy of the encrypted key

# cp server.key server.key.cryp

Then re-write the key with encryption. You will be prompted for the
original encrypted Key passphrase

# /usr/bin/openssl rsa -in server.key.cryp -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key

One way to secure the decrypted Private Key is to make readable only by the
root:
# chmod 400 server.key

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
jacks@sage-american.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Possibility of no keying phrase keys?

At 10:57 PM 7.26.2002 -0500, David F. Reed wrote:
>Dear SSL experts and aficionados and RH gurus,
>
>I am hoping someone out there has a piece of arcane (to me)
>knowledge...
>
>(Running RH-7.3, apache-1.3.23-14, openssl-0.9.6b-18)
>
>I note that during reboot (a rare event), some one trusted
>has to be around to manually key in the pass phrase to the
>server.key file - sometimes it waits for this, and sometimes not;
>in either case, unattended, the httpd sits around waiting to start.
>
>(I learned this the other day when a power outage convinced
>my system to shut down, and it restarted when power resumed).
>
>So my question is, is there a way to generate a key that does not
>look for a pass phrase, or automagically pipe the contents of some
>file, or some such work around, so that unattended, it can
>come up and function as a server?
>
>Any discussion of experience would be helpful
>
>Many thanks.
>
>--Dave
>
.....oops! It's still early here and no coffee. I see now that you run
Linux, so the paths will be different...., but perhaps the commands will
work. Not familiar with Linux....

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
jacks@sage-american.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Possibility of no keying phrase keys?

Many thanks Jack!

worked like a charm.

--Dave

Jack L. Stone wrote:

>At 10:57 PM 7.26.2002 -0500, David F. Reed wrote:
>
>>Dear SSL experts and aficionados and RH gurus,
>>
>>I am hoping someone out there has a piece of arcane (to me)
>>knowledge...
>>
>>(Running RH-7.3, apache-1.3.23-14, openssl-0.9.6b-18)
>>
>>I note that during reboot (a rare event), some one trusted
>>has to be around to manually key in the pass phrase to the
>>server.key file - sometimes it waits for this, and sometimes not;
>>in either case, unattended, the httpd sits around waiting to start.
>>
>>(I learned this the other day when a power outage convinced
>>my system to shut down, and it restarted when power resumed).
>>
>>So my question is, is there a way to generate a key that does not
>>look for a pass phrase, or automagically pipe the contents of some
>>file, or some such work around, so that unattended, it can
>>come up and function as a server?
>>
>>Any discussion of experience would be helpful
>>
>>Many thanks.
>>
>>--Dave
>>
>
>Not sure what OS you have, but I run FBSD and this is the method I use to
>solve that:
>To decrypt the Key:
>
>First make a copy of the encrypted key
>
># cp server.key server.key.cryp
>
>Then re-write the key with encryption. You will be prompted for the
>original encrypted Key passphrase
>
># /usr/bin/openssl rsa -in server.key.cryp -out server.key
>read RSA key
>Enter PEM pass phrase:
>writing RSA key
>
>One way to secure the decrypted Private Key is to make readable only by the
>root:
># chmod 400 server.key
>
>Best regards,
>Jack L. Stone,
>Administrator
>
>Sage American
>http://www.sage-american.com
>jacks@sage-american.com
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

--
David F. Reed -> email: W5SV@arrl.net
(for pgp key: davereed@W5SV.org http://keys.pgp.com/ )



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Possibility of no keying phrase keys?

Hi,

On Fri, 26 Jul 2002, David F. Reed wrote:

[snip]

> I note that during reboot (a rare event), some one trusted
> has to be around to manually key in the pass phrase to the
> server.key file - sometimes it waits for this, and sometimes not;
> in either case, unattended, the httpd sits around waiting to start.

http://www.openssl.org/support/faq.html#USER9

Cheers,
Geoff

--
Geoff Thorpe
geoff@geoffthorpe.net


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org