On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs <[email protected]> wrote: > Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of being in trouble from the parents > > I don't know if they only get read at startup or not... but it does bring up > the question: Why? I would like to have another layer of protection on the machine / certificates. I would have thought it would have been a quick and easy question - yes I could go and read the src, but. > > Protect the file with chmod 440 permissions (with root/root or ldap/ldap or > whatever the user/group you use to run slapd). yep I do, root.openldap (debian) > > If there are others with root permission to this box that shouldn't or you > don't want to have access to these files - you /really should/ fix that issue > first. Then trust the file system permissions to do their job. so why allow for encrypted private keys :) > > Sadly, I suspect though that you're dead set on keeping the certs password > protected, and won't be doing the above. The above is already done. > > However, you could always just /try/ - if it works, then you know the answer. > Just get used to restarting/starting slapd being a needless PITA. not sure where you got the idea I haven't already done this ? And I am note sure why its bad to look for another layer of security > > Thanks, > - chris > > -----Original Message----- > From: openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org > [mailto:openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org] > On Behalf Of Alexander Samad > Sent: Monday, March 22, 2010 11:21 PM > To: [email protected] > Subject: Fwd: tls private key > > Hi > > THought I would re ask, do certificates only get read at start up, I store my > cert's with password, can i unpassword protect and then start slapd and then > remove the unpassworded cert private file ? > > will this be okay until such a time as slapd get restart ? > > Alex > > > ---------- Forwarded message ---------- > From: Alex Samad <[email protected]> > Date: Sat, Jan 16, 2010 at 6:03 PM > Subject: tls private key > To: [email protected] > > > Hi > > > I am setting up my sync repl to use certificates, my problem is I don't want > to leave my private key for the server un encrypted. > > the file pointed to by TLSCertificateKeyFile is is just read at slapd load up > time, ie can i unencrypt the file start slapd and then remove the un > encrypted file ? > > Alex > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8 > VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH > =iN8i > -----END PGP SIGNATURE----- > > This message is private and confidential. If you have received it in error, > please notify the sender and remove it from your system. > > >
