Re: How do I create a un-encrypted private key (without pass phrase)?
On Wed, 6 Feb 2002, Cliff Woolley wrote: > On Wed, 6 Feb 2002, Owen Boyle wrote: > > > Having a password means that no-one can use your certificate - even if > > they obtain a copy of it. They can load the cert into their server but > > it won't let the server come up unless they know the password. > > > > The downside is that you have to type in the password personally to > > start apache. Tricks like putting the password in a program and so on > > just shift the risk - the hacker just needs to grab the program. > > > > My personal tuppence-worth is that if you have a machine where there is > > a risk that hackers can steal root-privileged files then you should not > > be running it as an SSL web-server (if they can steal a cert, they can > > steal your customer's private data - exposing you to a liability issue). > > So if you protect your server to the utmost, you have no need of a > > password protected certificate. > > > s/certificate/private key/g, and this matches my sentiments exactly. > Passphrases just give a false sense of security. > Cool, since the vast majority of websites are run insecurely, and most folks putting up a server install all the little toys and trinkets of the underlying OS distributions they choose to run, and since many of these sites run insecure off the shelf freebie scripts, just give out the most insecure pointers they can actually allow, and make the issue of security of any aspect for them a moot point. Thanks, Ron DuFresne -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
> Having a password means that no-one can use your certificate - even if > they obtain a copy of it. They can load the cert into their server but > it won't let the server come up unless they know the password. Although after accepting a passphrase the unencrypted key is sitting in memory in the web server (it has to be so that it can be used to accept new connections). If you can dump the memory of a process (root can do this on a lot of UNIX systems, on others you can do it from a CGI run as the user Apache is running as) then you can grab the key without a lot of effort. > So if you protect your server to the utmost, you have no need of a > password protected certificate. Absolutely; if someone is root on your system they're going to get the key if they want it. Adding a passphrase isn't going to stop them, and is just going to make it more annoying for you to use your server. (This is where the hardware crypto device people chime in and tell you about their systems that let you keep the keys in external, FIPS-compliant, hardware) Mark -- Mark J Cox ... www.awe.com/mark Apache Software Foundation . OpenSSL Group . Apache Week editor __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
On Wed, 6 Feb 2002, Owen Boyle wrote: > Having a password means that no-one can use your certificate - even if > they obtain a copy of it. They can load the cert into their server but > it won't let the server come up unless they know the password. > > The downside is that you have to type in the password personally to > start apache. Tricks like putting the password in a program and so on > just shift the risk - the hacker just needs to grab the program. > > My personal tuppence-worth is that if you have a machine where there is > a risk that hackers can steal root-privileged files then you should not > be running it as an SSL web-server (if they can steal a cert, they can > steal your customer's private data - exposing you to a liability issue). > So if you protect your server to the utmost, you have no need of a > password protected certificate. s/certificate/private key/g, and this matches my sentiments exactly. Passphrases just give a false sense of security. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
Sir SoilentG_kov wrote: > > It's in the FAQ's and was very easy to do. Now I can boot remotely and > walk away :) Security? well, if someone can get into the > /etc/httpd/conf/ssl > directory then I'm hosed anyhow so why worry? I think one of the guru's > around here even said p'word protecting the keys is sorta useless... maybe I > saw that in the archives... dunno. Having a password means that no-one can use your certificate - even if they obtain a copy of it. They can load the cert into their server but it won't let the server come up unless they know the password. The downside is that you have to type in the password personally to start apache. Tricks like putting the password in a program and so on just shift the risk - the hacker just needs to grab the program. My personal tuppence-worth is that if you have a machine where there is a risk that hackers can steal root-privileged files then you should not be running it as an SSL web-server (if they can steal a cert, they can steal your customer's private data - exposing you to a liability issue). So if you protect your server to the utmost, you have no need of a password protected certificate. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How do I create a un-encrypted private key (without pass phrase)?
actually no need to reply my request for an explanation... i went to the mod-ssl.org page and re-read the FAQ and the thing I was after was the way to bypass the Apache "wait for PEM code" thingy. It's in the FAQ's and was very easy to do. Now I can boot remotely and walk away :) Security? well, if someone can get into the /etc/httpd/conf/ssl directory then I'm hosed anyhow so why worry? I think one of the guru's around here even said p'word protecting the keys is sorta useless... maybe I saw that in the archives... dunno. link to FAQ with specific info FYI: http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase Jeff > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Pasumarthi Naveen > Sent: Tuesday, February 05, 2002 1:48 PM > To: [EMAIL PROTECTED] > Subject: Re: How do I create a un-encrypted private key (without pass > phrase)? > > > http://www.openssl.org/docs/apps/genrsa.html > to my rescue got the correct arguments > to the -passout flag. > > naveen > --- Pasumarthi Naveen <[EMAIL PROTECTED]> wrote: > > I would like to create a un-encrypted > > private key. Tried couple of combinations > > with the "-passout" flag for "genrsa" with > > no luck. > > > > Am I on the right track?? > > > > Can someone point me / provide the > > openssl genrsa .. command to create > > a private key without user input of a > > PEM passphrase > > > > alternatively > > > > is it possible for the passphrase be read > > from a file? > > > > I understand this approach is not secure... > > > > Thanks a bunch, > > Naveen > > > > > > __ > > Do You Yahoo!? > > Send FREE Valentine eCards with Yahoo! Greetings! > > http://greetings.yahoo.com > > > __ > > Apache Interface to OpenSSL (mod_ssl) > >www.modssl.org > > User Support Mailing List > > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Send FREE Valentine eCards with Yahoo! Greetings! > http://greetings.yahoo.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How do I create a un-encrypted private key (without pass phrase)?
I'd like you to be more descriptive please... what argument did you use? thanks, Jeff > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Pasumarthi Naveen > Sent: Tuesday, February 05, 2002 1:48 PM > To: [EMAIL PROTECTED] > Subject: Re: How do I create a un-encrypted private key (without pass > phrase)? > > > http://www.openssl.org/docs/apps/genrsa.html > to my rescue got the correct arguments > to the -passout flag. > > naveen > --- Pasumarthi Naveen <[EMAIL PROTECTED]> wrote: > > I would like to create a un-encrypted > > private key. Tried couple of combinations > > with the "-passout" flag for "genrsa" with > > no luck. > > > > Am I on the right track?? > > > > Can someone point me / provide the > > openssl genrsa .. command to create > > a private key without user input of a > > PEM passphrase > > > > alternatively > > > > is it possible for the passphrase be read > > from a file? > > > > I understand this approach is not secure... > > > > Thanks a bunch, > > Naveen > > > > > > __ > > Do You Yahoo!? > > Send FREE Valentine eCards with Yahoo! Greetings! > > http://greetings.yahoo.com > > > __ > > Apache Interface to OpenSSL (mod_ssl) > >www.modssl.org > > User Support Mailing List > > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Send FREE Valentine eCards with Yahoo! Greetings! > http://greetings.yahoo.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
http://www.openssl.org/docs/apps/genrsa.html to my rescue got the correct arguments to the -passout flag. naveen --- Pasumarthi Naveen <[EMAIL PROTECTED]> wrote: > I would like to create a un-encrypted > private key. Tried couple of combinations > with the "-passout" flag for "genrsa" with > no luck. > > Am I on the right track?? > > Can someone point me / provide the > openssl genrsa .. command to create > a private key without user input of a > PEM passphrase > > alternatively > > is it possible for the passphrase be read > from a file? > > I understand this approach is not secure... > > Thanks a bunch, > Naveen > > > __ > Do You Yahoo!? > Send FREE Valentine eCards with Yahoo! Greetings! > http://greetings.yahoo.com > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]