What is a challenge password?

The “challenge password” requested as part of the CSR generation, is different from the passphrase used to encrypt the secret key (requested at key generation time, or when a plaintext key is later encrypted – and then requested again each time the SSL-enabled service that uses it starts up).

Here’s a key being generated, and the beginning of the generated key:

$ openssl genpkey -algorithm rsa -out foo.key
............++++++
...++++++

$ head -3 foo.key
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJ9jNAG4Noy//r/S
eeK/gEgGOV0BZm0CYmgSQGj4P6N3cJsPlGsG80qKTxTFwoEiXnM3BVeBpDdXhGKt

This key has no passphrase. I wasn’t prompted for one at creation, and haven’t entered one. Now, let’s generate an encrypted key:

$ openssl genpkey -algorithm rsa -des3 -out bar.key
...........................................++++++
.....................................++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

$ head -3 bar.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQInfwj1iv3icMCAggA
MBQGCCqGSIb3DQMHBAizMHBklBexiwSCAoDtRKf1WtMiVMH7HraGTIG0rlQS6Xuj

So it should be clear what an encrypted private key (which apache, or any other SSL-enabled server, will need unlocking for it when it starts) and a plaintext private key (which doesn’t require unlocking at service start time) look like. Now I’ll generate a CSR with a challenge password from the unencrypted key:

$ openssl req -new -key foo.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:asdfasdf
An optional company name []:
-----BEGIN CERTIFICATE REQUEST-----
MIIBmzCCAQQCAQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAn2M0Abg2jL/+v9J54r+ASAY5XQFmbQJiaBJAaPg/o3dwmw+U
awbzSopPFMXCgSJeczcFV4GkN1eEYq2Cmam3tH6t8mVDh0/UryJSWBsaFm9mh9RF
gIpP0hEkYZTf/0X+X06ukt9S/Id9Z/tVgPsZA3TcNjNhJfVaTm81/4ykq8UCAwEA
AaAZMBcGCSqGSIb3DQEJBzEKDAhhc2RmYXNkZjANBgkqhkiG9w0BAQUFAAOBgQCa
ivuDRBlHOhBjg6wPbH9NvCnvEnxeEAkYi0Sl/Grdo/WCk17e+sv9wgqEW1QSIdbV
XzMeWidurv4AtcATwhfk9tBcYBCTxANkTONzhJG7Yk9OAz8g8Ljo8EEvPf4oHqpw
tBg10DCD2op0lCwL2LBdPO3RG20f/HD6fEXPVxZdOQ==
-----END CERTIFICATE REQUEST-----

And just to show that the key hasn’t magically become encrypted:

$ head -3 foo.key
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJ9jNAG4Noy//r/S
eeK/gEgGOV0BZm0CYmgSQGj4P6N3cJsPlGsG80qKTxTFwoEiXnM3BVeBpDdXhGKt

So I say again: the “challenge password” requested as part of the CSR generation is not the same thing as a passphrase used to encrypt the secret key. The “challenge password” is basically a shared-secret nonce between you and the SSL certificate-issuer (aka Certification Authority, or CA), embedded in the CSR, which the issuer may use to authenticate you should that ever be needed. Some SSL certificate-issuers make that clearer than others; look down at the bottom of this page to see where they say the challenge password is needed – it’s not when you restart apache:

Should you choose to enter and use a challenge password, you will need
to make sure that you save that password in a secure place. If you
ever need to reinstall your certificate for any reason, you will be
required to enter that password.

Related Posts:

  1. How do you sign a Certificate Signing Request with your Certification Authority?
  2. NET::ERR_CERT_REVOKED in Chrome, when the certificate is not actually revoked
  3. https connection using CURL from command line
  4. “ssl module in Python is not available” when installing package with pip3
  5. How to generate a self-signed SSL certificate using OpenSSL?
  6. Convert .pem to .crt and .key
  7. Simple Java HTTPS server
  8. HTTPS connection Python
  9. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  10. CFNetwork SSLHandshake failed iOS 9
  11. What exactly is cacert.pem for?
  12. OpenSSL: unable to verify the first certificate for Experian URL
  13. ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
  14. How to disable cURL SSL certificate verification
  15. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  16. Issues with installing python libraries on Windows : CondaHTTPError: HTTP 000 CONNECTION FAILED for url
  17. WordPress wp-admin https redirect loop
  18. Is it safe to use sslverify => true for with wp_remote_get/wp_remote_post
  19. Howto force SSL for all requests?
  20. Local version of a WordPress site – SSL/HTTPS enforced?
  21. bloginfo() and get_template_directory_uri() with SSL?
  22. Favicon causes mixed content warning over SSL
  23. After updating site to use SSL all images in posts point to http://
  24. Adding https to wordpress website
  25. What’s the right move with SSL for user based site?
  26. I am locked out of my WordPress site after changing site URL from Http to Https
  27. Enabling SSL on wordpress results in 404
  28. SSL setup: wp-login css doesn’t load over httpS
  29. In WP versions >= 4.0, is FORCE_SSL_LOGIN forcing HTTPS for the entire admin session?
  30. Separating HTTP and HTTPS content with WordPress, Varnish, and an SSL terminator?
  31. SSL Certificate and WordPress
  32. Pointing SSL Enabled URL at Single WordPress Page
  33. Occasional HTTPS Mixed Content Warning
  34. Divert http to https with WordPress on IIS
  35. Google maps causing mixed content in header
  36. Cloudflare and SSL breaks wordpress – Mixed Content & Unable to use Admin
  37. XML asset fails to load using https
  38. I changed my site from HTTPS back to HTTP and now it is broken- Cannot access Admin panel on HTTP URL
  39. un-loading https
  40. WordPress site shows “File not found.” if opened through https
  41. How to set up HTTPS WordPress from Install Step?
  42. SSL certificate error on Google Chrome , IE [closed]
  43. Address a single page to SSL https secure protocol?
  44. Certain header elements not served over https
  45. wordpress http to https windows server
  46. Jetpack “Connect to WordPress” serving insecure content under HTTPS
  47. Allow non-SSL pages to use https or Force non-SSL pages to http?
  48. Website access with http and https
  49. How to force non SSL on just one page?
  50. Need ideas for HTTPS multiple domain solution
  51. Redirect the whole blog to SSL but not the RSS feed (under Nginx)
  52. WordPress 4.0 Forces entire site into SSL
  53. How to control SSL in WordPress for automatically changing http to https?
  54. Site not reachable due to change from HTTP to HTTPS [closed]
  55. How do I handle SSL properly when WP is behind a reverse proxy?
  56. How to keep WP from using https to get to wordpress.org?
  57. How do I find non-SSL problems on my SSL page?
  58. SSL doesn’t work on certain pages – what is wrong?
  59. WordPress site shown as Not Secure on Chrome when SSL certificate is valid
  60. ERR_TOO_MANY_REDIRECTS on wordpress page [closed]
  61. Disable WordPress accessing WordPress.org to check for updates
  62. URLs not being output with https
  63. How to protect login via SSL but not the rest of the dashboard
  64. ERR_CONNECTION_REFUSED
  65. The REST API request failed due to an error. cURL error 60: SSL certificate problem: certificate has expired
  66. Do I install WordPress from my Cpanel on https or http, if my website has valid certificate?
  67. SSL not working fine, Home url not matching with site url wordpress errors
  68. Website Migration (with https) to a new domain(http)
  69. Why does WordPress uses HTTPS for JS, CSS on EC2
  70. ERR_SSL_PROTOCOL_ERROR
  71. WordPress – SSL not working – browser console error “Mixed Content” and “Failed to load resource”
  72. Problem forcing San SSL certificate on WordPress
  73. SSL Certificate
  74. Front-end pages messed up due to HTTPS
  75. How to send user data from one website to another
  76. site on subdomain is redirecting to main site after installing wildcard ssl cert on both
  77. How to switch static files back to using HTTP instead of HTTPS?
  78. WordPress Insecure Content
  79. SSL certificate breaks CSS (in combination with W3TC)
  80. I just updated my SSL certificate and now my site looses formatting when
  81. I would like to add ssl certificate to my already existing wordpress site
  82. WordPress and SSL
  83. My WordPress site SSL is in red crossed color and can’t load at first time?
  84. SSL problems with WordPress
  85. SSL/HTTPS Redirect Loop
  86. The plain HTTP request was sent to HTTPS port in wordpress [closed]
  87. iHow to redirect all http traffic to https now that a SSL certificate is added?
  88. How to force static assets with HTTP sources to load over HTTPS?
  89. WordPress stuck at Step 1 of setup behind nginx reverse proxy
  90. Issue when site move from ssl domain to new domain without ssl
  91. Displaying a remote SSL certificate details using CLI tools
  92. how to download the ssl certificate from a website?
  93. Is there a reason to use an SSL certificate other than Let’s Encrypt’s free SSL?
  94. Wildcard SSL certificate for second-level subdomain
  95. Properly setting up a “default” nginx server for https
  96. Does each subdomain need it’s own SSL certificate?
  97. Does each server behind a load balancer need their own SSL certificate?
  98. Generating a self-signed cert with openssl that works in Chrome 58
  99. Changing my URL in General Settings cause the site to crash
  100. wordpress is auto using http: not https: as it needs to because the server is http behind a reverse proxy https, how do I stop it?

Leave a Comment