Er, are you keeping your SSL private key files on your server? Shouldn't those be on an encrypted thumb drive and locked away in a safe?
For SSL, you only need your private keys when generating/signing certificates. Maybe you are thinking of PKI? Here's a handy analogy: Apps aren't supposed to touch your privates. John Hebert ----- Original Message ---- From: Dustin Puryear <[EMAIL PROTECTED]> To: general at brlug.net Sent: Tuesday, November 27, 2007 9:16:45 AM Subject: Re: [brlug-general] Where do you put your SSL files? Well, you can't put them on a shared drive unless you are very careful with perms on the .key files, no? John Hebert wrote: > 1. We keep our certs in an application-specific area (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our servers. If you have lots of apps on the server that need a cert, then put them in a central location like /usr/shared/ssl/certs like you said. > > If you have lots of certs, you would probably want to store them centrally and categorize them differently. Depends on the situation. > > BTW, you don't have to store certs for specific servers on the server itself. They could all be put in a shared drive somewhere, as long as your app knows where to find them. > > 2. Use a cert vendor that gives you better management tools for your certs. We use Entrust.com, but then we don't manage more than a few dozen certs for customers. Don't have much experience with the others. > > John Hebert > > ----- Original Message ---- > From: Dustin Puryear <dustin at puryear-it.com> > To: Sage Members <sage-members at sage.org>; general at brlug.net; nolug at nolug.org > Sent: Monday, November 26, 2007 1:52:48 PM > Subject: [brlug-general] Where do you put your SSL files? > > > So, a little issue I see a lot is that SSL cert files seem to go > everywhere. I may see some under /var/shared/ssl/certs/, some under > application-specific directories (e.g., /etc/httpd/conf/ssl.*/, > /etc/ldap/), etc. > > What are your thoughts on: > > 1. Putting all certs under a standardized location, e.g., > /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for > a > little more security. > > 2. Keeping them in application-specific areas. > > Also, how are you keeping track of cert expiration? We usually get > emails from the SSL cert vendor about renewals, but.. > _______________________________________________ General mailing list General at brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
