Actually, you only need the private key when _starting_ apache. After it's started, it's loaded in memory and you can take your key offline. Some people go through the trouble of protecting their keys by doing things like only having the volume with the private keys mounted during a startup process, then making the server unable to reach them afterwards. One option would be to keep the keys on a USB drive, and removing that drive after apache starts. Or maybe create a modified filesystem driver that only works if `uptime` is less than a certain amount, and format your ssl-key partition with that filesystem
-ray wrote: > Unless you want to run back to the safe for every single HTTPS > connection, then your web server needs the private key file. > > The SSL certificate, in simplest terms is your public key. It also > contains your Certificate Authority (CA) info. After verifying your > certificate and CA, the client can then encrypt data using your public > key, and send it to the webserver. In order to decrypt said data, the > webserver *needs* the private key. > > Of course SSL is much more complicated, but the encryption part is > basically public/private key encryption. If you have data encrypted with > the public key, you need the private key to decrypt it. > > The certificate is useless without the private key. > > > ray > > > On Tue, 27 Nov 2007, John Hebert wrote: > > >> Er, are you keeping your SSL private key files on your server? Shouldn't >> those be on an encrypted thumb drive and locked away in a safe? >> >> For SSL, you only need your private keys when generating/signing >> certificates. Maybe you are thinking of PKI? >> >> Here's a handy analogy: Apps aren't supposed to touch your privates. >> >> John Hebert >> >> ----- Original Message ---- >> From: Dustin Puryear <dustin at puryear-it.com> >> To: general at brlug.net >> Sent: Tuesday, November 27, 2007 9:16:45 AM >> Subject: Re: [brlug-general] Where do you put your SSL files? >> >> >> Well, you can't put them on a shared drive unless you are very careful >> with perms on the .key files, no? >> >> John Hebert wrote: >> >>> 1. We keep our certs in an application-specific area >>> >> (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our >> servers. If >> you have lots of apps on the server that need a cert, then put them in a >> central location like /usr/shared/ssl/certs like you said. >> >>> If you have lots of certs, you would probably want to store them >>> >> centrally and categorize them differently. Depends on the situation. >> >>> BTW, you don't have to store certs for specific servers on the server >>> >> itself. They could all be put in a shared drive somewhere, as long as >> your app knows where to find them. >> >>> 2. Use a cert vendor that gives you better management tools for your >>> >> certs. We use Entrust.com, but then we don't manage more than a few >> dozen certs for customers. Don't have much experience with the others. >> >>> John Hebert >>> >>> ----- Original Message ---- >>> From: Dustin Puryear <dustin at puryear-it.com> >>> To: Sage Members <sage-members at sage.org>; general at brlug.net; >>> >> nolug at nolug.org >> >>> Sent: Monday, November 26, 2007 1:52:48 PM >>> Subject: [brlug-general] Where do you put your SSL files? >>> >>> >>> So, a little issue I see a lot is that SSL cert files seem to go >>> everywhere. I may see some under /var/shared/ssl/certs/, some under >>> application-specific directories (e.g., /etc/httpd/conf/ssl.*/, >>> /etc/ldap/), etc. >>> >>> What are your thoughts on: >>> >>> 1. Putting all certs under a standardized location, e.g., >>> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them >>> >> for >> >>> a >>> little more security. >>> >>> 2. Keeping them in application-specific areas. >>> >>> Also, how are you keeping track of cert expiration? We usually get >>> emails from the SSL cert vendor about renewals, but.. >>> >>> >> _______________________________________________ >> General mailing list >> General at brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> >> >> >> >> >> ____________________________________________________________________________________ >> Be a better pen pal. >> Text or chat with friends inside Yahoo! Mail. See how. >> http://overview.mail.yahoo.com/ >> >> _______________________________________________ >> General mailing list >> General at brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> > >
