[oclug] Webservers and SSL certificates
bjlockie at lockie.ca
Wed Feb 16 00:01:09 EST 2005
On 15/02/2005 9:46 PM Mark spoke:
> I have a quick question about webservers and SSL certificates:
> I use apache on a bunch of servers (both version 1 and 2).
> At the moment I have only one domain that has a SSL certificate. The private key is password-protected, so I have to enter the
> password everytime the server gets started. Restart works without re-entering the password (luckily).
> Now I am about to get some more certificates for some other domains.
> The question is, should I first generate a new private key for each of them, or can I use the same one?
I think a certificate is just a combination of a private and public key.
You can use the same certificate and hence public/private keys if you
want or have new certificates and public/private keys.
> Also, if I have a whole bunch of SSL domains that password protected certificates, do I have to enter the password for each of them
> at startup? I guess that would be a string argument against password-protecting them.
> Is there any general common-sense or best-practise how to handle this?
> Lastly, what is the challenge password in the CSR used for?
> Do people usually use this or leave it empty?
It is to provide more security on the private key and hence everything
that the private key lets you do (passwordless logins, etc.).
If the box containing the private key is secure and/or the private key
is used for a non-critical purpose, it is more convenient to have it
without a password.
More information about the OCLUG