SSL certs/keys and Apache
Thomas Charron
twaffle at gmail.com
Wed Sep 12 13:36:28 EDT 2007
On 9/12/07, Ben Scott <dragonhawk at gmail.com> wrote:
> On 9/12/07, Thomas Charron <twaffle at gmail.com> wrote:
> > Anyone ever use a passphrase protected private key with apache, and
> > found a way to provide the passkey safely to apache without requiring
> > the passphrase be typed in each time the private key is used?
> Contradictory goals.
> The idea behind a passphrase is that someone who steals the key
> can't use it because the passphrase only exists in wetware (you
> brain). The idea behind unattended startup is wetware is not to be
> involved.
Yup. :-) I know. And on a production machine, I totally agree.
In my case, however, safety is not, at least at this point, a primary
concern. Chances are, once this is past development, I'll revoke the
certificate, trash the key, and redo an entirely new one.
In the meantime, I have found that you can actually remove the
passphrase from the key easily enough with the standard openssl
application. :-)
--
-- Thomas
More information about the gnhlug-discuss
mailing list