Hi Michael
Firstly, I'm agree with Scott: having a passprase in a key cert is not a
good idea but if it is your need you have to introduce the passphrase
every time web server start (manual or script)
I've recently setup a key cert in my web server and, the same (wildcard)
key cert works with my email server (smtp and imap). Nothing weird. I've
write about this process in
http://www.cesareox.com/opinion/articulos/43456/compra_certificado_ssl.html
(sorry, in Spanish).
Regards
Cesáreo
Scott Goodwin escribió:
Hi, Michael,
I haven't tested nsopenssl with a wildcard SSL cert but I'm assuming
it'll work as I don't think there's anything special that needs to be
done in OpenSSL. The keystore capability you're talking about is simply
a container to manage keys and certs -- it doesn't provide any special
security, though you can (I think) have a password on the keystore as a
whole as well as the normal individual passphrases on the private keys
stored within it.
Private keys for certs on web servers are a problem. If you leave the
passphrase on the key on the cert, you either have to store the
passphrase in plain text in a startup script or someone has to manually
type it in at web server start time. Insecure or inconvenient. Even in a
keystore, the keystore password must be available somehow in order for
the web server to access and use the key and certificate.
So what you need to figure out is how Apache or IIS are able to access
the group's key and certificate from the keystore so it can be used.
I'll bet the passphrase(s) are stored in plain text somewhere and if
that's the case, then you may as well export them from the keystore,
strip the key of its passphrase and use them in their regular file
format. I've only ever used keys and certs in their normal file format
because it's less opaque and because the keys and certificates rarely
change.
Let me know how you get on, especially if you have any problems with
wildcard certs or if I'm mistaken about keystore capabilities.
/s.
On Oct 31, 2008, at 6:46 PM, Michael Steigman wrote:
Hello list,
We would very much like to use an organizational wildcard cert with
Aolserver which contains a passphrase and is owned/managed by the
org's web group. Typically, the web group logs into servers (Windows
IIS or Apache is what they support) and "installs" the certificate
once and then again whenever the certificate is renewed. Although this
is not my area of expertise, my understanding is that these other
platforms utilize a key store.
I've asked around a bit within the community and so far, the only
suggestion has been to have the group copy the cert to our server and
strip the passphrase out via openssl. I'm uncertain whether the group
owning the cert will go along with this process so I thought I'd ask
the list if there is any other way to handle this situation?
Thanks,
Michael
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.