[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#267477: SSLCertificateKeyFile Directive further comment

Regarding the comment saying that the SSLCertificateKeyFile Directive was
not needed, this advice should be taken with a grain of salt. Quoting from
(emphasis added):

"This directive points to the PEM-encoded Private Key file for the server.
If the Private Key is not combined with the Certificate in the
SSLCertificateFile, use this additional directive to point to the file
with the stand-alone Private Key. ******When SSLCertificateFile is used
and the file contains both the Certificate and the Private Key this
directive need not be used. But we strongly discourage this practice.
Instead we recommend you to separate the Certificate and the Private
Key.****** If the contained Private Key is encrypted, the Pass Phrase
dialog is forced at startup time. This directive can be used up to two
times (referencing different filenames) when both a RSA and a DSA based
private key is used in parallel."

So, it can go either way depending on how you have things set up. I chose
to go with the apache suggested setup. The apache-ssl (apache v1)
httpd.conf includes the following text (which pretty much walks you
through whether to use this Key directive or not):


# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass
# Note that a kill -1 will prompt again.
# A test certificate can be generated with "make certificate".
SSLCertificateFile /etc/apache-ssl/apache.pem
#SSLCertificateFile /u/ben/apache/apache_1.2.6-ssl/SSLconf/conf/t1.pem

# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
#SSLCertificateKeyFile /some/place/with/your.key



Reply to: