[oclug] Webservers and SSL certificates
Derek T. Murphy (Home)
derekm at NightTiger.ca
Wed Feb 16 08:07:50 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 15 Feb 2005, [M]= Mark wrote:
> [M] I have a quick question about webservers and SSL certificates:
> [M] I use apache on a bunch of servers (both version 1 and 2).
> [M] At the moment I have only one domain that has a SSL certificate.
> [M] The private key is password-protected, so I have to enter the
> [M] password everytime the server gets started. Restart works without
> [M] re-entering the password (luckily). Now I am about to get some more
You can "automate" the passphrase entering:
In the appropriate configuration file, if you change
to be something like
where /etc/apache/config/filename reads something like
echo "the webserver passphrase to STDOUT"
You won't need to enter the passphrase each time. But, of course, having
that in a file is insecure... even with root:root r-x------ permissions.
Your security practices will influence the final decision.
> [M] certificates for some other domains. The question is, should I
> [M] first generate a new private key for each of them, or can I use the
> [M] same one? Also, if I have a whole bunch of SSL domains that
> [M] password protected certificates, do I have to enter the password
> [M] for each of them at startup? I guess that would be a string
To use the above method for different domains, "filename" would go
case $1 in
www.server.tld:443) echo "passphrase one" ;;
www.server2.tld:443) echo "passphrase2" ;;
*) echo "a default case renders the virtuals unusable" ;;
but, of course, that's even less secure because more domains are at risk.
Note that different keys on the same server only work if there's no
default case (The underlying cert becomes the only recognizable one. You
may find http://slacksite.com/apache/certificate.html useful...)
Derek T. Murphy <DerekM at NightTiger.ca>
Night Tiger Inc. Kanata, Ontario, Canada
System Administration/Network Security GPG key at www.NightTiger.ca
"The answer *is* computers. What's your _question_?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the OCLUG