The server needs the public and private keys. -- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com
Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration John Hebert wrote: > Er, are you keeping your SSL private key files on your server? Shouldn't > those be on an encrypted thumb drive and locked away in a safe? > > For SSL, you only need your private keys when generating/signing > certificates. Maybe you are thinking of PKI? > > Here's a handy analogy: Apps aren't supposed to touch your privates. > > John Hebert > > ----- Original Message ---- > From: Dustin Puryear <dustin at puryear-it.com> > To: general at brlug.net > Sent: Tuesday, November 27, 2007 9:16:45 AM > Subject: Re: [brlug-general] Where do you put your SSL files? > > > Well, you can't put them on a shared drive unless you are very careful > with perms on the .key files, no? > > John Hebert wrote: >> 1. We keep our certs in an application-specific area > (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our > servers. If > you have lots of apps on the server that need a cert, then put them in a > central location like /usr/shared/ssl/certs like you said. >> If you have lots of certs, you would probably want to store them > centrally and categorize them differently. Depends on the situation. >> BTW, you don't have to store certs for specific servers on the server > itself. They could all be put in a shared drive somewhere, as long as > your app knows where to find them. >> 2. Use a cert vendor that gives you better management tools for your > certs. We use Entrust.com, but then we don't manage more than a few > dozen certs for customers. Don't have much experience with the others. >> John Hebert >> >> ----- Original Message ---- >> From: Dustin Puryear <dustin at puryear-it.com> >> To: Sage Members <sage-members at sage.org>; general at brlug.net; > nolug at nolug.org >> Sent: Monday, November 26, 2007 1:52:48 PM >> Subject: [brlug-general] Where do you put your SSL files? >> >> >> So, a little issue I see a lot is that SSL cert files seem to go >> everywhere. I may see some under /var/shared/ssl/certs/, some under >> application-specific directories (e.g., /etc/httpd/conf/ssl.*/, >> /etc/ldap/), etc. >> >> What are your thoughts on: >> >> 1. Putting all certs under a standardized location, e.g., >> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them > for >> a >> little more security. >> >> 2. Keeping them in application-specific areas. >> >> Also, how are you keeping track of cert expiration? We usually get >> emails from the SSL cert vendor about renewals, but.. >> > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > > > > > > ____________________________________________________________________________________ > Be a better pen pal. > Text or chat with friends inside Yahoo! Mail. See how. > http://overview.mail.yahoo.com/ > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net
