Hi, Point 9.1.2 in openca's guide describe how to setup dataexchange via scp and public keys. While that setup may be ok if access to ca webinterface is limited from localhost only, in other case private key gets exposed via http. IMHO we should mention that home directory of www user shouldn't coincide with apache's document root or protect .ssh directory with <Directory> directive in httpd config.
Also it may we wise on RA machine in authorized_keys file, add CA's ssh public key with "from" option to limit it's use from certain IPs only. Best wishes, PS: Am I too paranoid??? :) -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
