Alex,
encrypting the private key really isn't necessary and I highly
doubt it would work for your application nor be worth the hassel.
Securing via file permisssions as mentioned previously is really the
best way to tackle this. Think of 'other layers of protection' being
firewalls, intrusion detection, restricted logins, chroot jails, etc.,
etc...
Encryption really works best for UDP like transportation like email
where you cannot guarantee the recipient is the only person able to
'see' the document ;)
On Mar 25, 2010, at 6:32 PM, Alexander Samad <[email protected]> wrote:
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
<[email protected]> wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents
I don't know if they only get read at startup or not... but it does
bring up the question: Why?
I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/
ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't
or you don't want to have access to these files - you /really
should/ fix that issue first. Then trust the file system
permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs
password protected, and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know
the answer. Just get used to restarting/starting slapd being a
needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
Thanks,
- chris
-----Original Message-----
From: openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org
[mailto:openldap-technical-bounces
[email protected]] On Behalf Of Alexander
Samad
Sent: Monday, March 22, 2010 11:21 PM
To: [email protected]
Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up,
I store my cert's with password, can i unpassword protect and then
start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ----------
From: Alex Samad <[email protected]>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
To: [email protected]
Hi
I am setting up my sync repl to use certificates, my problem is I
don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at
slapd load up time, ie can i unencrypt the file start slapd and
then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
=iN8i
-----END PGP SIGNATURE-----
This message is private and confidential. If you have received it
in error, please notify the sender and remove it from your system.
