Re: Apache-SSL 'n Cert Fun
On Sun, Mar 02, 2003 at 08:01:20AM -0500, D. Clarke wrote:
> apache-ssl works fine without an encrypted test key & cert... once
> encrypted pewf, it dies (which I need, because that's how the client
> gave it to me... ugh.)
>
> Any new ideas? :)
use openssl and the pass-phrase to decrypt the cert. then configure
apache to use the decrypted copy.
using encrypted certificates on a web server is worse than useless.
either:
1. you store the pass-phrase on the server so that the startup
scripts can read it (which is pointless, any attacker that could get an
unencrypted cert could also get an encrypted cert plus the passphrase)
or
2. you manually enter the passphrase every time apache is restarted.
this effectively prevents automatic startup of your web server at boot
time (e.g after a power failure, or kernel upgrade etc), and also makes
it impossible for staff to restart the server unless they know the
pass-phrases for all encrypted keys used by the server.
since there's no security advantage in using encrypted certificates
(item #1 above), and significant operational disadvantages (item #2),
your best bet is to use unencrypted certificates.
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
Reply to: