A certificate with a password or passphrase is often a security benefit, but because the web server component must be restarted when OpenAthens LA publishes changes to the runtime from the administration console, it is a hindrance in this situation.  Keeping the password on the certificate would mean that every time the library made a change and published it, the IT team would need to manually restart Apache on each runtime and enter the password when prompted.

How to remove a password from a certificate

Examples assume you are in the same directory as the certificate

  1. Backup the certificate (optional)

    sudo cp -p idp.yourdomain.com.key idp.yourdomain.com.key.backup
  2. Remove the password - you will be prompted for the password during the process

    sudo openssl rsa -in idp.yourdomain.com.key -out idp.yourdomain.com.key.tmp
    sudo mv idp.yourdomain.com.key.tmp idp.yourdomain.com.key
  3. Check ownership, permissions and security context

    >ls -Z
    -rw-------. root root system_u:object_r:cert_t:s0  idp.yourdomain.com.key
  4. Use the following commands to set things as required should they differ.

    sudo chmod 600 idp.yourdomain.com.key
    sudo chown root:root idp.yourdomain.com.key
    sudo chcon -u system_u -r object_r -t cert_t idp.yourdomain.com.key