We recently updated our SSL certificate for futurestud.io. We decided to use AES256 for the new SSL certificate which requires a password for the .key file. At this point, we didn’t think of any problems with nginx. The nerve-racking part was waiting in secret!

nginx Series Overview

Problem: Nginx Asking for Password on Restart/Reload

We submitted the .csr for signing and got the certificate file (.crt) in return. Concatenated with the intermediate certicate, we defined the new SSL certificate and key in our nginx configuration.

ssl_certificate             /etc/nginx/ssl/futurestudio.pem;
ssl_certificate_key         /etc/nginx/ssl/private/futurestudio.key;

Afterwards, we wanted to reload the nginx configuration and it was asking for the PEM phrase.

$ sudo service nginx reload
Reloading nginx configuration: 
Enter PEM pass phrase:

The annoying part: nginx was asking for the PEM phrase on every reload or restart. When defining an additional certificate, you have to provide a second password. A third certificate requires another password, and so on. You’ll literally freak out when just reloading nginx for a minor config change.

How to Remove PEM Password

You can use the openssl rsa command to remove the passphrase. As arguments, we pass in the SSL .key and get a .key file as output.

$ openssl rsa -in futurestudio_with_pass.key -out futurestudio.key

This command will ask you one last time for your PEM passphrase. Type the password, confirm with enter key and you’re done. Finally!

Nginx won’t ask for the PEM passphrase anymore and you’re free to reload and restart nginx as much as you want.

Additional Ressources

• openssl rsa man page
• Configure SSL certificate chain