On Wed, 6 Feb 2002, Owen Boyle wrote: > Having a password means that no-one can use your certificate - even if > they obtain a copy of it. They can load the cert into their server but > it won't let the server come up unless they know the password. > > The downside is that you have to type in the password personally to > start apache. Tricks like putting the password in a program and so on > just shift the risk - the hacker just needs to grab the program. > > My personal tuppence-worth is that if you have a machine where there is > a risk that hackers can steal root-privileged files then you should not > be running it as an SSL web-server (if they can steal a cert, they can > steal your customer's private data - exposing you to a liability issue). > So if you protect your server to the utmost, you have no need of a > password protected certificate.
s/certificate/private key/g, and this matches my sentiments exactly. Passphrases just give a false sense of security. --Cliff -------------------------------------------------------------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
