[oclug] Webservers and SSL certificates

Derek T. Murphy (Home) derekm at NightTiger.ca
Wed Feb 16 08:07:50 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 15 Feb 2005,  [M]= Mark wrote:

 > [M] I have a quick question about webservers and SSL certificates:
 > [M] I use apache on a bunch of servers (both version 1 and 2).

 > [M] At the moment I have only one domain that has a SSL certificate.
 > [M] The private key is password-protected, so I have to enter the
 > [M] password everytime the server gets started. Restart works without
 > [M] re-entering the password (luckily). Now I am about to get some more

You can "automate" the passphrase entering:
In the appropriate configuration file, if you change
	SSLPassPhraseDialog  builtin
to be something like
	SSLPassPhraseDialog  exec:/etc/apache/config/filename

where /etc/apache/config/filename reads something like
#!/bin/sh
echo "the webserver passphrase to STDOUT"

You won't need to enter the passphrase each time. But, of course, having
that in a file is insecure... even with root:root r-x------ permissions.
Your security practices will influence the final decision.

 > [M] certificates for some other domains. The question is, should I
 > [M] first generate a new private key for each of them, or can I use the
 > [M] same one? Also, if I have a whole bunch of SSL domains that
 > [M] password protected certificates, do I have to enter the password
 > [M] for each of them at startup? I guess that would be a string

To use the above method for different domains, "filename" would go
something like:

#!/bin/sh
case $1 in
   www.server.tld:443) echo "passphrase one" ;;
   www.server2.tld:443) echo "passphrase2" ;;
   *) echo "a default case renders the virtuals unusable" ;;
esac

but, of course, that's even less secure because more domains are at risk.

Note that different keys on the same server only work if there's no
default case (The underlying cert becomes the only recognizable one. You
may find http://slacksite.com/apache/certificate.html useful...)

- -- 
                 Derek T. Murphy <DerekM at NightTiger.ca>
	      Night Tiger Inc.  Kanata,  Ontario,  Canada
System Administration/Network Security  GPG key at www.NightTiger.ca
         "The answer *is* computers. What's your _question_?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCE0WvRVr2W6BTungRAl65AJ92Ne9SJAAagi6371j5JpeM1fDbKwCfaDRW
oyKGHvSIbVpg8Rf1MIN0aCQ=
=10ja
-----END PGP SIGNATURE-----

More information about the OCLUG mailing list