Skip to main content

Removing the passphrase from the private key


Passphrases are often but not always used to encrypt the private key of certificate, private key pair. The certificate is not encrypted with the passphrase. When adding a certificate and private key to a FileMaker Server, you must provide the passphrase so the private key can be decrypted when FileMaker Server starts up.

You can remove the passphrase from the private key by using the openssl rsa command. (see below). There are some cases where doing so is useful. This document covers the cases and how to do it.


Please think carefully about if you want to do this. You will be removing a layer of security from your cert. Check with the appropriate people in your organziation before doing this.


You shouldn't need to do this, under normal circumstances. This is a work-a-round for a couple of rare cases, where passphrases that work with FileMaker server do not work with Otto.

When is this useful?

Otto bug on Linux

There is a known issue with Otto 3.0.1 on linux, that is interfering with the passphrases.

Private Cert Authorities

There are some companies that act as their own private cert authorities. There are have been a couple of cases where the passphrases do not work with Otto.

Removing the passphrase

To remove the passphrase from a SSL private key, we can use the openssl command. So, if the name of the private key file is key-with-passphrase.key, then we can remove the passphrase using the following syntax.

openssl rsa -in key-with-passphrase.key -out key-without-passphrase.key

Enter the original passphrase when prompted and hit enter. This will output a new key without a passphrase.

Don't forget to reimport certificate

After removing the need for the passphrase you will need to reimport the certificate into FileMaker server. You can use the FileMaker Server Admin Console, the command line tool or the Admin API, to do that.