 | | | how to decrypt private key for ssl? | how to decrypt private key for ssl? 2004-02-17 - By Steve
Back
A google search usually helps.
>From the first page returned with the terms "ssl httpd remove pass phrase "
(needed the cached version)
[quote]
If you have encrypted your private server key, every time you start apache
with apachectl startssl, you will be prompted for pass phrase - that 's why
it cannot be started automaticaly. You can remove pass phrase from your
server key (located in /usr/local/apache/conf/ssl.key/server.key - if you
installed apache in /usr/local/apache) with openssl command line tool
(/usr/local/ssl/bin) running command: "/usr/local/ssl/bin/openssl rsa -in
server.key -out server2.key ". Then stop server with "apachectl stop ",
rename server2.key to server.key, set permissons "chmod 400 server.key "
and start apache with "apachectl startssl ". Now it should run without
promting pass phrase, and should start from rc.d at boot time...
[/quote]
As for security ? well, yes, ultimately you should be there to manually
type the pass phrase each time, however - there tends to be a tradeoff
between security and usability, you will have to decide on what side of
the fence you fall.
If it is not acceptable to have a decrypted server key, then live with
typing the pass phrase to start apache. If you require automatic startup
then look into other methods to protect the key and have it decrypted.
The IIS server will start automagically as it will have a copy of the
decryption key somewhere and so assumes that usability is more important
than security.
--
Steve.
On Tue, 17 Feb 2004, Chris W. Parker wrote:
> hi.
>
> i just got a little https site working on my server in preperation for
> the real thing and i discovered that i have to enter the pass phrase
> each time httpd is started.
>
> i don 't know a lot about ssl but i know that on my windows box i don 't
> have to enter a pass phrase ever.
>
> so i found out that my options are to leave things as they are and
> always have to enter the pass phrase upon start, or decrypt the private
> key. i can 't find any info on exactly how to decrypting the private key
> but i do see that multiple pages recommend against this.
>
> however, i wonder, if someone has access to my decrypted private key
> doesn 't that mean they also have access to my box? therefore, encrypted
> private key or not, i 'm wide open?
>
> having to enter the pk each time httpd starts is not a good thing as
> this server is meant to be up 24/7 and could possibly be restarted when
> no one is available to put in the pass phrase.
>
>
> i 'm basically at a loss as to what i should do regarding this/what
> action i should take. please advise.
>
>
>
> thanks,
> chris.
>
>
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
|
|
|