Programs that write certs and private keys out to disk
generally put some kind of password protection on them. This
makes sense in connection with client certs where the user can
be prompted for a cert store password. What about cert files
on servers? Is it common for them to not use password
protection and to rely on filesystem security instead?
Well, with a password, you have to type it in whenever the server restarts,
so that can be inconvenient. The alternatives are to rely on filesystem
security (and the machine's physical security), or to load the key from
a piece of external secure hardware, or to do all the private-key
operations in external hardware. Various solutions exist for these things.
See www.ncipher.com for example. Warning: their stuff is high quality,
but expen$ive.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
