Unless you want to run back to the safe for every single HTTPS connection, then your web server needs the private key file.
The SSL certificate, in simplest terms is your public key. It also contains your Certificate Authority (CA) info. After verifying your certificate and CA, the client can then encrypt data using your public key, and send it to the webserver. In order to decrypt said data, the webserver *needs* the private key. Of course SSL is much more complicated, but the encryption part is basically public/private key encryption. If you have data encrypted with the public key, you need the private key to decrypt it. The certificate is useless without the private key. ray On Tue, 27 Nov 2007, John Hebert wrote: > Er, are you keeping your SSL private key files on your server? Shouldn't > those be on an encrypted thumb drive and locked away in a safe? > > For SSL, you only need your private keys when generating/signing > certificates. Maybe you are thinking of PKI? > > Here's a handy analogy: Apps aren't supposed to touch your privates. > > John Hebert > > ----- Original Message ---- > From: Dustin Puryear <dustin at puryear-it.com> > To: general at brlug.net > Sent: Tuesday, November 27, 2007 9:16:45 AM > Subject: Re: [brlug-general] Where do you put your SSL files? > > > Well, you can't put them on a shared drive unless you are very careful > with perms on the .key files, no? > > John Hebert wrote: >> 1. We keep our certs in an application-specific area > (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our > servers. If > you have lots of apps on the server that need a cert, then put them in a > central location like /usr/shared/ssl/certs like you said. >> >> If you have lots of certs, you would probably want to store them > centrally and categorize them differently. Depends on the situation. >> >> BTW, you don't have to store certs for specific servers on the server > itself. They could all be put in a shared drive somewhere, as long as > your app knows where to find them. >> >> 2. Use a cert vendor that gives you better management tools for your > certs. We use Entrust.com, but then we don't manage more than a few > dozen certs for customers. Don't have much experience with the others. >> >> John Hebert >> >> ----- Original Message ---- >> From: Dustin Puryear <dustin at puryear-it.com> >> To: Sage Members <sage-members at sage.org>; general at brlug.net; > nolug at nolug.org >> Sent: Monday, November 26, 2007 1:52:48 PM >> Subject: [brlug-general] Where do you put your SSL files? >> >> >> So, a little issue I see a lot is that SSL cert files seem to go >> everywhere. I may see some under /var/shared/ssl/certs/, some under >> application-specific directories (e.g., /etc/httpd/conf/ssl.*/, >> /etc/ldap/), etc. >> >> What are your thoughts on: >> >> 1. Putting all certs under a standardized location, e.g., >> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them > for >> a >> little more security. >> >> 2. Keeping them in application-specific areas. >> >> Also, how are you keeping track of cert expiration? We usually get >> emails from the SSL cert vendor about renewals, but.. >> > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > > > > > > ____________________________________________________________________________________ > Be a better pen pal. > Text or chat with friends inside Yahoo! Mail. See how. > http://overview.mail.yahoo.com/ > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
