# Help me rectify my ssl concepts.

## dE_logics

When I make an ssl rsa private key, it has a password. Then I have to remove the password to get things working (with the servers).

Q. Why did openssl ask for a password?

When you make a key, you also have an option to specify a symmetric cypher algorithm. But the application using the ssl key is supposed to do that (select the cypher algorithm). So what happens when I specify this algorithm when generating the key?

----

Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users?

----------

## malern

 *dE_logics wrote:*   

> When I make an ssl rsa private key, it has a password. Then I have to remove the password to get things working (with the servers).
> 
> Q. Why did openssh ask for a password?

 

(I'm assuming you meant openssl not openssh) Most likely because you told it to encrypt the private key (you do this by specifying a cipher on the command line). Depending on what you want to do with the rsa key it is sometimes useful to have it encrypted, which is why it's an option. If you're just decrypting it straight away then there's no point encrypting it in the first place (i.e. you shouldn't be specifying a cipher to encrypt it with, and then it won't prompt for a password).

 *dE_logics wrote:*   

> When you make a key, you also have an option to specify a symmetric cypher algorithm. But the application using the ssl key is supposed to do that (select the cypher algorithm). So what happens when I specify this algorithm when generating the key?

 

The cipher is only used to encrypt the private key, it does not dictate which cipher the application will use.

----------

## lxg

You don't have to remove the passphrase to get the key working. That's only what many SSL Howtos of certificate providers suggest, in order to minimize customer support efforts.

In a more security critical setup, it is a good idea to keep the key and have Apache etc. ask for it when restarting. 

However, not all services support that. And, this can conflict with stuff like certain setups of logrotate, which try to restart Apache after rotating, and fail due to a missing passphrase to the private key.

Anyway, bottom line: the passphrase is there for a reason.  :Wink: 

----------

## chiefbag

 *Quote:*   

> However, not all services support that. And, this can conflict with stuff like certain setups of logrotate, which try to restart Apache after rotating, and fail due to a missing passphrase to the private key. 

 

You can set the following in the /etc/conf.d/apache2 to overcome the passpharse at reload problem  :Laughing: 

RELOAD_TYPE="graceful"

----------

## dE_logics

Ok, thanks for clarifying all this.

Now the only question remaining is about the client.

----------

## AngelKnight

 *dE_logics wrote:*   

> Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users?

 

As far as I know, there are no standard X509 certificate attributes that influence SSL/TLS session setup involving a given X509 cert.  Generally the software on which the certificate is installed provides separate controls to constrain the permissible session ciphers and modes for enciphered sessions.Last edited by AngelKnight on Tue Mar 01, 2011 7:44 am; edited 1 time in total

----------

## dE_logics

 *AngelKnight wrote:*   

>  *dE_logics wrote:*   Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users? 
> 
> As far as I know, there are no standard X509 certificate attributes that influence SSL/TLS session setup involving a given X509 cert.  Generally the software on which the certificate is installed provides separate controls to constrain the permissible session ciphers and modes for enciphered sessions.

 

I've yet to find any client in which I can specify the key length of the symmetric algorithm.

----------

## AngelKnight

 *dE_logics wrote:*   

> I've yet to find any client in which I can specify the key length of the symmetric algorithm.

 

```
man ssl-ciphers
```

will provide the instructions on how to specify specific cipher requirements for commands you might issue with the openssl suite, like s_client.

----------

