Re: OT? genrsa, certs, OpenSA

[Scott Brown]

Thank you very much. This set me on the right path, and I was able to find the following excerpt:

How can I get rid of the pass-phrase dialog at Apache startup time? [L]
The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

Remove the encryption from the RSA private key (while preserving the original file):

$ cp server.key server.key.org

$ openssl rsa -in server.key.org -out server.key

Make sure the server.key file is now only readable by root:

$ chmod 400 server.key

Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable only by root).
As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is neither more nor less secure, of course.


Which worked like a charm! Thanks!

--Scott Brown


At 06:58 PM 1/24/2003, you wrote:

On Fri, 24 Jan 2003, Scott Brown wrote:

> In some documentation somewhere (can't recall what it went to) it said that
> if I am forced to enter a passphrase, I generated the key incorrectly, but
> I also followed the standard mantra of RTFM before I started, soooo...
>
> I need Apache to run as a Windows 2k Service, with SSL enabled (OpenSA, I
> keep forgetting this is an altered Apache).
>
> Can anyone point me in the right direction? I know this is probably the
> "newbiest" question this list has seen in a long time, but I could sure use
> the help!

Chapter 3, mod_ssl User Manual, first configuration directive.

        SSLPassPhraseDialog

Merton Campbell Crockett


--
BEGIN:                          vcard
VERSION:                        3.0
FN:                             Merton Campbell Crockett
ORG:                            General Dynamics Advanced Information Systems;
                                Intelligence Solutions
N:                              Crockett;Merton;Campbell
EMAIL;TYPE=internet:            [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref:   +1(805)497-5045
TEL;TYPE=pager,msg:             +1(877)528-0049
TEL;TYPE=fax,work:              +1(805)497-5050
TEL;TYPE=cell,voice,msg:        +1(805)377-6762
END:                            vcard

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

-------------------------------------------------------------------------------
This message was processed by Mail Filter Extension
http://sssolutions.net/mf/
-------------------------------------------------------------------------------

H. Scott Brown, President
Corridor Computing, LLC - Technical Services for Small Business
http://www.corridorcomputing.com

------------------------------------------------------------------------------- This message was processed by Mail Filter Extension http://sssolutions.net/mf/ -------------------------------------------------------------------------------

BEGIN:VCARD
VERSION:2.1
N:Brown;H. Scott
FN:H. Scott Brown
TITLE:President
ORG:Corridor Computing
ADR:;;PO Box 22891;Portland;OR;97269;USA
TEL;WORK:503.785.1215
TEL;CELL:503.704.3612
EMAIL:[EMAIL PROTECTED]
END:VCARD