SSL certs/keys and Apache

Ben Scott dragonhawk at gmail.com
Wed Sep 12 13:09:02 EDT 2007


On 9/12/07, Thomas Charron <twaffle at gmail.com> wrote:
>   Anyone ever use a passphrase protected private key with apache, and
> found a way to provide the passkey safely to apache without requiring
> the passphrase be typed in each time the private key is used?

  Contradictory goals.

  The idea behind a passphrase is that someone who steals the key
can't use it because the passphrase only exists in wetware (you
brain).  The idea behind unattended startup is wetware is not to be
involved.

  You can put the passphrase in a file, of course, but then the
attacker just steals the passphrase file.  You haven't secured
anything, you've just moved the problem around.

  Some people put the key on an external medium (say, a floppy
diskette, CD-ROM, or USB flash drive), and physically remove the
medium except during Apache startup.  This means you're safer against
a remote attack, but now someone still has to be there to do the
medium attachment, and that someone can still use the medium to read
the passphrase, so you might as well just tell them the passphrase.
Or write it on a Post-It note and stick it to the CRT, along with
instructions on how to type it in when the system is sitting there
during boot prompting for it.

-- Ben


More information about the gnhlug-discuss mailing list