Re: remove passphrase from the key?
kloomis wrote: At 11:17 PM 3/6/2006 -0700, you wrote: The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. I have myServer.csr, myServer.cert and myServer.key located in ssl.csr, ssl.crt, and ssl.key respectively. The ssl.conf points to the cert and the key. There is a privkey.pem in ssl.pem, but there is no reference in the ssl.conf to it. I have these settings in the ssl.conf: # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert Should the private key be the .pem? Is the .key a public key? Where should it go? The private key (which also includes the public part) should be in the file referenced by SSLCertificateKeyFile. I think you did name the private keyfile something.key. SSLCertificateFile points to the certificate file which was generated by the CA (key and certificate may be in the same file). BTW, SSLCACertificateFile should contain you CA's cert. Ken. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
remove passphrase from the key?
Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? Is the data still encrypted? Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? Thanks, Ken
Re: remove passphrase from the key?
kloomis wrote: Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? Advantage: You can use the key without supplying a passphrase, this simplifies for example the startup procedure of an SSL enabled Apache server Disadvantage: You can use the key without supplying a passphrase, this is very bad if someone can read privkey.pem who should not. Is the data still encrypted? No. Even if it were it would be no use since everyone could decrypt it without a passphrase. Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. Thanks, Ken I'm not sure if i did understand your problem, in case I missed please clarify your needs. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: remove passphrase from the key?
At 11:24 PM 3/6/2006 +0100, you wrote: Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. I'm not sure if i did understand your problem, in case I missed please clarify your needs. Ted, thanks for your reply. To clarify the above question, once the certificate has been generated and signed, is it necessary that the file privkey.pem be present for normal encryption and decryption of html data transmissions. If it is needed I don't see where in the sslconf file it is referenced. Thanks, Ken
Re: remove passphrase from the key?
Please see comments inline with the questions. On 3/6/06, kloomis [EMAIL PROTECTED] wrote: Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? No need to enter a passphrase to use the key. This means that you don't need to type in (or supply) the passphrase during the startup; however, if anyone else gets their hands on the privkey.pem file it means that they can masquerade as you (and listen in on all of your traffic). Is the data still encrypted? The SSL/TLS session is still encrypted on the wire. SSL/TLS has never guaranteed anything beyond the encryption of the data on the wire, though, so adequate security (possibly including encryption for the database you query or such) needs to be built into your application as well. Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? Without the privkey.pem, the cert is useless. The certificate 'binds' an identity to a public key; however, it only holds the public key, not the private key. The nature of the encryption method used is that it's very difficult to decrypt data encrypted with the private key without the public key, and very difficult to decrypt data encrypted with the public key without the private key. The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. Thanks, Ken -Kyle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: remove passphrase from the key?
SSLPrivateKeyFile filename At least that's what it was on older versions of Apache; check the documentation on mod_ssl for more information. -Kyle H On 3/6/06, kloomis [EMAIL PROTECTED] wrote: At 11:24 PM 3/6/2006 +0100, you wrote: Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. I'm not sure if i did understand your problem, in case I missed please clarify your needs. Ted, thanks for your reply. To clarify the above question, once the certificate has been generated and signed, is it necessary that the file privkey.pem be present for normal encryption and decryption of html data transmissions. If it is needed I don't see where in the sslconf file it is referenced. Thanks, Ken __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: remove passphrase from the key?
At 11:17 PM 3/6/2006 -0700, you wrote: The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. I have myServer.csr, myServer.cert and myServer.key located in ssl.csr, ssl.crt, and ssl.key respectively. The ssl.conf points to the cert and the key. There is a privkey.pem in ssl.pem, but there is no reference in the ssl.conf to it. I have these settings in the ssl.conf: # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert Should the private key be the .pem? Is the .key a public key? Where should it go? Ken. Thanks, Ken -Kyle __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
