Well, you can always put a password on the private key, but then you'd need to enter it when the server starts. I can see this being done in some situations, but not most.
-- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration Tim Fournet wrote: > Actually, you only need the private key when _starting_ apache. After > it's started, it's loaded in memory and you can take your key offline. > Some people go through the trouble of protecting their keys by doing > things like only having the volume with the private keys mounted during > a startup process, then making the server unable to reach them > afterwards. One option would be to keep the keys on a USB drive, and > removing that drive after apache starts. Or maybe create a modified > filesystem driver that only works if `uptime` is less than a certain > amount, and format your ssl-key partition with that filesystem > > -ray wrote: >> Unless you want to run back to the safe for every single HTTPS >> connection, then your web server needs the private key file. >> >> The SSL certificate, in simplest terms is your public key. It also >> contains your Certificate Authority (CA) info. After verifying your >> certificate and CA, the client can then encrypt data using your public >> key, and send it to the webserver. In order to decrypt said data, the >> webserver *needs* the private key. >> >> Of course SSL is much more complicated, but the encryption part is >> basically public/private key encryption. If you have data encrypted with >> the public key, you need the private key to decrypt it. >> >> The certificate is useless without the private key. >> >> >> ray >> >> >> On Tue, 27 Nov 2007, John Hebert wrote: >> >> >>> Er, are you keeping your SSL private key files on your server? Shouldn't >>> those be on an encrypted thumb drive and locked away in a safe? >>> >>> For SSL, you only need your private keys when generating/signing >>> certificates. Maybe you are thinking of PKI? >>> >>> Here's a handy analogy: Apps aren't supposed to touch your privates. >>> >>> John Hebert >>> >>> ----- Original Message ---- >>> From: Dustin Puryear <dustin at puryear-it.com> >>> To: general at brlug.net >>> Sent: Tuesday, November 27, 2007 9:16:45 AM >>> Subject: Re: [brlug-general] Where do you put your SSL files? >>> >>> >>> Well, you can't put them on a shared drive unless you are very careful >>> with perms on the .key files, no? >>> >>> John Hebert wrote: >>> >>>> 1. We keep our certs in an application-specific area >>>> >>> (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our >>> servers. If >>> you have lots of apps on the server that need a cert, then put them in a >>> central location like /usr/shared/ssl/certs like you said. >>> >>>> If you have lots of certs, you would probably want to store them >>>> >>> centrally and categorize them differently. Depends on the situation. >>> >>>> BTW, you don't have to store certs for specific servers on the server >>>> >>> itself. They could all be put in a shared drive somewhere, as long as >>> your app knows where to find them. >>> >>>> 2. Use a cert vendor that gives you better management tools for your >>>> >>> certs. We use Entrust.com, but then we don't manage more than a few >>> dozen certs for customers. Don't have much experience with the others. >>> >>>> John Hebert >>>> >>>> ----- Original Message ---- >>>> From: Dustin Puryear <dustin at puryear-it.com> >>>> To: Sage Members <sage-members at sage.org>; general at brlug.net; >>>> >>> nolug at nolug.org >>> >>>> Sent: Monday, November 26, 2007 1:52:48 PM >>>> Subject: [brlug-general] Where do you put your SSL files? >>>> >>>> >>>> So, a little issue I see a lot is that SSL cert files seem to go >>>> everywhere. I may see some under /var/shared/ssl/certs/, some under >>>> application-specific directories (e.g., /etc/httpd/conf/ssl.*/, >>>> /etc/ldap/), etc. >>>> >>>> What are your thoughts on: >>>> >>>> 1. Putting all certs under a standardized location, e.g., >>>> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them >>>> >>> for >>> >>>> a >>>> little more security. >>>> >>>> 2. Keeping them in application-specific areas. >>>> >>>> Also, how are you keeping track of cert expiration? We usually get >>>> emails from the SSL cert vendor about renewals, but.. >>>> >>>> >>> _______________________________________________ >>> General mailing list >>> General at brlug.net >>> http://mail.brlug.net/mailman/listinfo/general_brlug.net >>> >>> >>> >>> >>> >>> >>> ____________________________________________________________________________________ >>> Be a better pen pal. >>> Text or chat with friends inside Yahoo! Mail. See how. >>> http://overview.mail.yahoo.com/ >>> >>> _______________________________________________ >>> General mailing list >>> General at brlug.net >>> http://mail.brlug.net/mailman/listinfo/general_brlug.net >>> >>> >> > > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net
