Re: SSL certificate pass phase in apache
- From: Lars <sunberg@xxxxxxxxx>
- Date: Sat, 24 Feb 2007 23:24:48 +0100
Hi
As afshin_pir@xxxxxxxxx wrote (but it didnt come clearly out), you can
use the SSLPassPhraseDialog option. Take a look at
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
for more info about it.
Example of usage is "SSLPassPhraseDialog
exec:/usr/local/apache/sbin/pp-filter" and here is a quote from the
link I gave you:
<quote>
Mod_ssl just defines the interface: an executable program which
provides the Pass Phrase on stdout. Nothing more or less! So, if
you're really paranoid about security, here is your interface.
Anything else has to be left as an exercise to the administrator,
because local security requirements are so different.
</quote>
Soo, if you like, you can have the executable get the password from
somewhere.. `cat /root/filewithpasswd` or you can make it as complex
as you want, example make it needing an smartcard. Its all up to you.
:)
--
Lars
On 2/23/07, Björn Bergstrand <bjorn@xxxxxxxxxxxx> wrote:
I dont know about normaly, but if you have a password protected private key
you need to have somebody around to punch the passphrase in when the webserver restarts
> Hi all
> I know that I can remove password of my private key using this command:
> openssl rsa -in foo_key.pem -out foo_keyclear.pem
>
> But,I don't like this,because I should save private key without any protection on server,and if sombody access this file,he can easily generate a dummy "valid certificate" from same Issuer.
> Is this the way that normally used on servers for thier SSL?
> They won't use:
> SSLPassPhaseDialog exec:cert/passgenerator
> for sending pass to apache and then protect that pass generator?
>
> Regards
>
> ---------------------------------------------------------------------------
> This list is sponsored by: BigFix
>
> If your IT fails, you're out of business - or worse. Arm your
> enterprise with BigFix, the single converged IT security and operations
> engine. BigFix enables continuous discovery, assessment, remediation,
> and enforcement for complex and distributed IT environments in real-time
> from a single console.
> Think what's next. Think BigFix.
>
> http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
> ---------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
This list is sponsored by: BigFix
If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: BigFix
If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------
- References:
- Re: SSL certificate pass phase in apache
- From: afshin_pir
- Re: SSL certificate pass phase in apache
- From: Björn Bergstrand
- Re: SSL certificate pass phase in apache
- Prev by Date: RE: Laptop security
- Next by Date: SyScan'07 CFP
- Previous by thread: language for general risk analysis
- Next by thread: Lotus Notes Encryption
- Index(es):
Relevant Pages
|
