How to configure nginx + ssl with an encrypted key in .pem format
I would like to set up ssl for an existing nginx server. I got handed both a certificate and the corresponding (encrypted) private key. Both are in .pem format (each in its own file).
About all tutorials (e.g. 1) I found assume a key in the .key format.
When I configure + start nginx the certificate seems to get accepted so far. However I'm asked for a PEM pass phrase for the private key file.
Am I correct in the assumption that my only options are to either set up a nginx "ssl_password_file" with the pass phrase or use openssl/libressl to convert the .pem file containing the encrypted key to an unencrypted .key file like this?
How else should I handle an encrypted private key in .pem format?
Solution 1:
You've pretty much answered your own question.
Don't be confused by file extensions. The private key, whether password protected or not, is usually in PEM format. Often .pem
is used for the certificate file, so .key
is chosen for the corresponding private key. But the file extension is irrelevant.
So you have three options:
- Manually boot the server and provide the password at the console. This is probably the most secure option but also impractical for many situations.
- Provide a password file using
ssl_password_file
- Permanently remove the password protection using
openssl
For example, to remove the password from a private key:
openssl rsa -in original.key -out plain.key