[Cialug] SSL & private key ?

Tue Jun 5 12:42:06 CDT 2007

 I keep the private keys in /etc/apache2/ssl.key/  (/etc/httpd/ssl.key/
on RH).
Why?  Well, if a user's account gets compromised, you don't want to
have to re-roll your keys and certs.
I don't know if that's "right" or not, but when you have lots and lots
of keys and certs (multi-hosting), it's nice to have them in one place.

I also name them as such:

/etc/httpd/ssl.key/www.example.com-20080605.key
/etc/httpd/ssl.csr/www.example.com-20080605.csr
/etc/httpd/ssl.crt/www.example.com-20080605.crt

With links as such:

/etc/httpd/ssl.key/www.example.com.key -> www.example.com-20080605.key
/etc/httpd/ssl.crt/www.example.com.crt -> www.example.com-20080605.crt

And then I set apache to use the links.  Why?  This keeps everything
together and sortable by date (thanks to the lovely "cut" and paste"
commands).  It also allows me to roll new certs as old ones expire
without needing to change the apache configs.  That way, once you go
through the pain of setting up your LISTEN statements in httpd.conf and
your virtual host lines, you never have to touch them again, you can do
all your maintenance through openssl.

I don't know of any HOWTOs that do it this way, it's just what I've
evolved so that we have a simple system that new employees can't screw
up as easily.  (One negative of multi-hosting is that a newbie's mistake
can bring down all of the websites in one swell foop.)

>From a security perspective, make sure that everything in the SSL world
is owned by root.  Read should be world on the crt and root-only on the
csr (limits man-in-the-middle hoax attacks).  Depending on how you have
apache set to drop privs, you'll have different restrictions possible on
the key files -- just keep is as restrictive as your system will allow. 
If you're in the SUSE world, use AppArmor, if you're in the RH world,
cross your fingers and use SELinux.  Outside of that, try AppArmor as
it's open source now.  (I've never tried it in the debuntu world though,
let me know how it works).

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> "albus" <albus at iowaconnect.com> 06/05/07 12:17 PM >>> 
I have the virual hosts all using different IP #'s already just for
that reason.

So do I create the private key in the other users home www dir then as
root again?

Or does someone have a link or howto I can read on?

-----  Original Message -----  
From: "Josh More" <morej at alliancetechnologies.net>
To: "Central Iowa Linux Group" <cialug at cialug.org>
Sent: Tuesday, June 05, 2007 11:49 AM
Subject: Re: [Cialug] SSL & private key ?

> Apache uses SSL private keys and certs as paired for each virtual
host.
> If I understand your question, you are wanting to know whether to
use
> the same private key for all virtual hosts.  The answer is NO.
> You need to create a unique private key and cert for each virtual
host
> that you wish to protect
> 
> Also, please bear in mind that HTTPS traffic is encrypted, so you
will
> need to segment your virtual hosts at the network level.  This means
> using a unique IP or port number for each host you run.  Otherwise,
the
> server doesn't know how to decrypt the packet to get the name of the
> virtual host.
> 
> I hope this answers your question.
> 
> 
> 
> 
> - Josh More, RHCE, CISSP, NCLP, GIAC 
> morej at alliancetechnologies.net 
> 515- 245- 7701
> 
> 
> 
>>>> "albus" <albus at iowaconnect.com> 06/05/07 11:21 AM >>> 
> To start off heres the background
> 
> 1. I created a private key as root in the users dir.
> 2. I generated the csr in the users dir.
> 3. I have the cert installed in the users dir and https all works
for
> the site.
> 
> Now the question.
> 
> When I go to do another sites SSL cert. does the server
> use the same private key for all requests?
> 
> Info:
> Apache server with openssl and mod_ssl.
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> 
>

_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug