Please see comments inline with the questions. On 3/6/06, kloomis <[EMAIL PROTECTED]> wrote: > Hello: > > I have some directions on how to build a self-signed certificate which > consists of 5 steps. > 1) create a key and a request > 2) Remove the passphrase from the key (optional) > 3) sign the certificate > 4) install the cert and the key > 5) set the SSLConf to point to the cert and the key. > > My question is what are the effects of removing the passphrase from key?
No need to enter a passphrase to use the key. This means that you don't need to type in (or supply) the passphrase during the startup; however, if anyone else gets their hands on the privkey.pem file it means that they can masquerade as you (and listen in on all of your traffic). > Is the data still encrypted? The SSL/TLS session is still encrypted on the wire. SSL/TLS has never guaranteed anything beyond the encryption of the data on the wire, though, so adequate security (possibly including encryption for the database you query or such) needs to be built into your application as well. Also, does anything in the process need the > privkey.pem file that is created once the cert and key are created? Without the privkey.pem, the cert is useless. The certificate 'binds' an identity to a public key; however, it only holds the public key, not the private key. The nature of the encryption method used is that it's very difficult to decrypt data encrypted with the private key without the public key, and very difficult to decrypt data encrypted with the public key without the private key. The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. > > Thanks, > > Ken -Kyle ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
