Standard location for apache ssl certificates .key files.
Kees Cook
kees at ubuntu.com
Mon Aug 18 17:26:39 UTC 2008
Hi,
On Mon, Aug 18, 2008 at 01:34:51AM +0200, tacone wrote:
> Hello, we're building an ssl plugin for the Apache configurator
> software we're building.
>
> As we try to implement and promote the best practices, we found
> ourselves stuck when trying to determine where the .key file of the
> certificate should be placed, and with which permissions.
>
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.
When apache loads the private keys, it is running as root, and will not
complain.
> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.
Allowing private keys to be readable my www-data is very bad idea,
security-wise. This means any program running under CGI, PHP, etc, will
be able to read these files. This totally breaks the purpose of the
"private" part of private keys.
> Which directory ? Which permissions? What's the best practice ?
/etc/ssl/private is the right place, the permissions are already correct
(rwx user root, x group ssl-cert). Manipulating private keys from within
Apache is not something I would recommend.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-server
mailing list