Confusion with Pem Pass Phrase and Challenge Password

When creating a CSR with openSSL it asks me:

Enter PEM pass phrase:

After that it asks:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

I read that pem pass phrase is for encrypting the key file. And any service(like apache) using the key file will ask for pem pass phrase when rebooting the service. Then what is challenge password?


Solution 1:

This adds the challengePassword attribute to the certificate request, described in PKCS#9 section 5.4.1:

5.4.1 Challenge password

The challengePassword attribute type specifies a password by which an entity may request certificate revocation. The interpretation of challenge passwords is intended to be specified by certificate issuers etc; no particular interpretation is required.

This attribute is part of the request and will not be present in the final certificate. In most cases, you can just leave this attribute empty – most CAs ignore it.