I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes.

sudo openssl rsa -des3 -in server.key -out server.key.new

When i enter the above command, it says

writing RSA key
Enter PEM pass phrase:

If i do not enter the pass phrse, im getting the below error

unable to write key
3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo
u must type in 4 to 1024 characters
3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor
3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382

Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).

  • 1,873
  • 2
  • 14
  • 8
  • 7
    Your command line tells `openssl` to encrypt an existing key. That sounds like something other than what you want. – David Schwartz Mar 05 '12 at 08:41
  • 1
    Apache httpd _can_ be configured to obtain the privatekey passphrase(s) noninteractively; see the doc for mod_ssl, or in many cases comments in the provided/packaged config file(s). However, this is usually no more secure than just leaving the privatekey unencrypted, which is simpler. – dave_thompson_085 Apr 25 '18 at 12:46

9 Answers9


If you are generating a self signed cert, you can do both the key and cert in one command like so:

openssl req  -nodes -new -x509  -keyout server.key -out server.cert

Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

  • 11,176
  • 5
  • 41
  • 63

Leave off the -des3 flag, which is an instruction to openssl to encrypt server.key.new (which, incidentally, isn't a new key at all - it's exactly the same as server.key, only with the passphrase changed/stripped off).

  • 79,770
  • 20
  • 184
  • 232

The openssl req command from the answer by @Tom is correct to create a self-signed certificate in server.cert incl. a password-less RSA private key in server.key:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Here is how it works. Omitting -des3 as in the answer by @MadHatter is not enough in this case to create a private key without passphrase. It is enough for this purpose in the openssl rsa ("convert a private key") command referred to by @MadHatter and the openssl genrsa ("create a private key") command. Just not for for the openssl req command here. We additionally need -nodes ("No DES encryption of server.key please!").

  • 666
  • 7
  • 13

Use the -nodes parameter, if this option is specified then the private key will not be encrypted, e.g.:

openssl \
    req \
    -nodes \
    -newkey rsa:2048 \
    -keyout www.example.com.key \
    -out www.example.com.csr \
    -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com"
  • 771
  • 7
  • 5

Just run it again through openssl

first generate the key with the passphrase

then openssl rsa -in server.key -out server.key

  • 265
  • 2
  • 5
  • 1
    This is not working on ubuntu 16.04 – sweetfa May 09 '16 at 20:19
  • 3
    I downvoted because this answer is not what was asked, also the command requires an input and doesn't generate a key. – Don Oct 11 '16 at 13:37
  • 1
    The user already demonstrated they know how to generate a key. This answer builds on that knowledge, and I suggest to take the newly generated key and pass it again through `openssl` Hence achieving the goal of what was asked: generating a key without a pass phrase. – darethas Oct 11 '16 at 14:19
  • Works for me, `openssl` on Windows 10 from GitBash. Thanks for info. – Green May 14 '17 at 21:11
  • cool it worked for my self signed cert – luky Aug 13 '20 at 12:31
  • Not sure why one would suggest encrypting and decrypting instead of just not encrypting it in the first place. Adding `-nodes` parameter is the more correct answer. – mpowered May 02 '22 at 16:34
  • This is not wrong though, but you may also need to pass the current password via `-passin pass:PASSWORD` if used in non interactive mode – Treviño Jan 24 '23 at 02:36

Adding '-nodes' to the 'openssl req' allows a unencrypted (no pass phrase) private key to be generated from the 'openssl req' command

David Roe
  • 121
  • 1
  • 2

Use the next command to generate password-less private key file with NO encryption. The last parameter is the size of the private key.

openssl genrsa -out my-passless-private.key 4096
  • 159
  • 1
  • 3
  • 1
    This is NOT password-less. It is completely and entirely password-ful. – dave_thompson_085 Apr 25 '18 at 12:48
  • I was experimenting with position of the parameters. It is now OK. I changed the places of last two parameters and tested the command. – nix Apr 25 '18 at 13:47
  • Now it produces an _unencrypted_ file. Options after the (only) positional argument are ignored. Look at the file; it's not encrypted. Replace `4096 -des3` with `4096 -sillywombat` and it still works and produces the same format, still unencrypted (but a different key value of course). There is no way to have a passwordless encrypted privatekey file, and correct solutions for a passwordless unencrypted file were given six years ago. – dave_thompson_085 Apr 26 '18 at 12:58
  • 1
    You are right. @dave_thompson_085. The last parameter doesn't any affect on the command. I updated my answer. It generate none encrypted base64 encoded and not password protected private key file. – nix Apr 26 '18 at 14:16

To generate PEM certificate without passphrase:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 10000 -nodes

Jianwu Chen
  • 101
  • 1

To generate a self signed cert for testing:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-days 365 -sha256

Then remove the password from the key via

openssl rsa -in key.pem -out nopass.pem

This answers is from: https://actix.rs/docs/server/. This answer completes https://serverfault.com/a/662445/113360 above with a preceding step.

  • 135
  • 2
  • 6
  • Or simpler use `-nodes` on `req -newkey` as was explained on multiple answers many many years ago. This not only does not add any positive value, it has _negative_ value. – dave_thompson_085 Jul 10 '22 at 01:42