Hi Ingrid, On Aug 28, 2008, at 6:31 AM, Tan, Liao wrote:
Ok, ic I can simply remove the passphrase, and provided the new key be readabale by root only, I should not have any security problems... is it simply remove it? or any other settings, configuratios, re-installation?
What has been proposed is that you decrypt the private key and have Apache use that, so it won't prompt for a password when it starts up. This requires no reconfiguration except to point Apache to the file that contains the decrypted private key.
Giving the key read-only permissions for only the root user is a good idea. You should end up with permisions that look like -r-------- and root ownership in the ls -l output for the key file.
The discussion on whether to start Apache as root is off-topic for this thread, and potentially harmful. Apache starts as root for two very good reasons: 1) to bind to low-numbered ports and b) to open log files for writing in locations to which its children can't write. The server reads the configuration files (and the private key file) while it is still root, and its children inherit that configuration, and the open file descriptors for the sockets and the log file, after they change user id.
Because the children changer user id, they can't write to the log directory, or in fact anywhere except directories like /tmp. They also can't read that private key file which offers some protection, although they have a copy of the key sitting in memory for use in SSL handshakes. If someone were to find and exploit a vulnerability in the server software that allows them to read the entire memory space of the server, they can find that key. But this is true whether or not the private key was encrypted to begin with.
Does this give you enough security? That depends on how much security you need. The address from which you post suggests that you are in the financial service industry, and you might want to look into requirements within your company regarding private key protection. You don't tell us whether this is an Internet-facing server or not (and we really don't have to know), but please realize that if anyone were to retrieve the private key of your website, they can use that key and the certificate to impersonate your website with a simple DNS spoofing attack.
You could look into protecting the private key with a Hardware Security Module or HSM. An HSM protected key can only be used within the secure envelope of the HSM, so even if someone were to steal the key material they couldn't use it because the HSM stays behind in your data center. HSM protected keys can be configured to allow unattended starts of the server, without having to type passphrases. I work for a company that makes HSMs: contact me offline if you want to chat about this option.
S. -- Sander Temme [EMAIL PROTECTED] PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
smime.p7s
Description: S/MIME cryptographic signature
