Sir SoilentG_kov wrote: > > It's in the FAQ's and was very easy to do. Now I can boot remotely and > walk away :) Security? well, if someone can get into the > /etc/httpd/conf/ssl > directory then I'm hosed anyhow so why worry? I think one of the guru's > around here even said p'word protecting the keys is sorta useless... maybe I > saw that in the archives... dunno.
Having a password means that no-one can use your certificate - even if they obtain a copy of it. They can load the cert into their server but it won't let the server come up unless they know the password. The downside is that you have to type in the password personally to start apache. Tricks like putting the password in a program and so on just shift the risk - the hacker just needs to grab the program. My personal tuppence-worth is that if you have a machine where there is a risk that hackers can steal root-privileged files then you should not be running it as an SSL web-server (if they can steal a cert, they can steal your customer's private data - exposing you to a liability issue). So if you protect your server to the utmost, you have no need of a password protected certificate. Rgds, Owen Boyle ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
