Re: Apache-SSL 'n Cert Fun
Hi,
Thanks. I decrypted it this afternoon actually and it works fine. Still
bugs me that it doesn't work with it encrypted, but that's another day [and
not my problem :)]
However, the next problem is...
With Two vhosts configured, apache-ssl seems to only send out the cert for
the 'default' domain regardless of which vhost I go after. Even though each
vhost has a seperate specified .pem file.
Yippi. :(
~ Darryl
----- Original Message -----
From: "Craig Sanders" <cas@taz.net.au>
To: "D. Clarke" <dclarke@FlatlineSystems.net>
Cc: <debian-isp@lists.debian.org>
Sent: Sunday, March 02, 2003 8:13 PM
Subject: Re: Apache-SSL 'n Cert Fun
> On Sun, Mar 02, 2003 at 08:01:20AM -0500, D. Clarke wrote:
> > apache-ssl works fine without an encrypted test key & cert... once
> > encrypted pewf, it dies (which I need, because that's how the client
> > gave it to me... ugh.)
> >
> > Any new ideas? :)
>
> use openssl and the pass-phrase to decrypt the cert. then configure
> apache to use the decrypted copy.
>
>
> using encrypted certificates on a web server is worse than useless.
> either:
>
> 1. you store the pass-phrase on the server so that the startup
> scripts can read it (which is pointless, any attacker that could get an
> unencrypted cert could also get an encrypted cert plus the passphrase)
>
> or
>
> 2. you manually enter the passphrase every time apache is restarted.
> this effectively prevents automatic startup of your web server at boot
> time (e.g after a power failure, or kernel upgrade etc), and also makes
> it impossible for staff to restart the server unless they know the
> pass-phrases for all encrypted keys used by the server.
>
>
> since there's no security advantage in using encrypted certificates
> (item #1 above), and significant operational disadvantages (item #2),
> your best bet is to use unencrypted certificates.
>
>
> craig
>
> --
> craig sanders <cas@taz.net.au>
>
> Fabricati Diem, PVNC.
> -- motto of the Ankh-Morpork City Watch
>
>
Reply to: