On Tue, Dec 16, 2003 at 03:35:56PM +0000, Mark Watts wrote: > It's probably easier if I paste stuff verbatim: .. > # grep localstatedir /usr/bin/nessus-mkcert-client > localstatedir=/var/lib ... > # ls -l /etc/nessus/CA/ > total 20 > -rw-r--r-- 1 root root 1578 Dec 15 15:08 cacert.pem > -rw------- 1 root root 891 Dec 15 15:08 cakey.pem > -rw-r--r-- 1 root root 4474 Dec 15 15:09 servercert.pem > -rw------- 1 root root 887 Dec 15 15:09 serverkey.pem
Lovely -- private keys and certs are mixed together in the same directory yet the script wasn't changed to reflect that! There are two ways to proceed. On one hand, you could leave the files where they are and simply answer "/etc/nessus/CA" when nessus-mkcert-client prompts you for the private directory. On the other, you could separate the private keys from the certs and adjust config files / scripts as necessary. This entails creating the directory /var/lib/nessus/CA, ensuring its ownership / permissions look like "drwx------ 2 root root", editing /etc/nessus/nessusd.conf to set key_file to "/var/lib/nessus/CA/serverkey.pem", restarting the daemon, and perhaps updating nessus-mkcert to ensure $localstatedir points to "/var/lib" as well. The first approach is by far the simplest, but personally I prefer to keep private keys separate from certificates, especially when it's necessary that the directory be world-readable. George -- [EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
