Hi, On Mon, Aug 18, 2008 at 01:34:51AM +0200, tacone wrote: > Hello, we're building an ssl plugin for the Apache configurator > software we're building. > > As we try to implement and promote the best practices, we found > ourselves stuck when trying to determine where the .key file of the > certificate should be placed, and with which permissions. > > /etc/ssl/private seems the best option, but it's (correctly) readable > only by root, so Apache complains that files either doesn't exist or > it's empty.
When apache loads the private keys, it is running as root, and will not complain. > We could easily create our own /etc/apache2/ssl/private directory > owned by www-data, but first we'd like to know if there's already a > standard location about storing SSL certificates to be used by Apache. Allowing private keys to be readable my www-data is very bad idea, security-wise. This means any program running under CGI, PHP, etc, will be able to read these files. This totally breaks the purpose of the "private" part of private keys. > Which directory ? Which permissions? What's the best practice ? /etc/ssl/private is the right place, the permissions are already correct (rwx user root, x group ssl-cert). Manipulating private keys from within Apache is not something I would recommend. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
