Urgent: remove password from server cert?

[Paul <yd...@yahoo.com>]

In a sudden (and late) moment of epiphany, I just realized (while
writing a note to our CSA to please put the new server's startup in the
machines boot cycle) that when we reboot (*every* monday morning in the
wee hours) it's not terribly likely that anyone's going to be around to
feed the password to the startup query.

This really needs to be automated.
Help? =o)

Paul
=====
Friends are those who,
when you must inconvenience them,
are less bothered by it than you. ;o]

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

Re: Urgent: remove password from server cert?

[James Lyon <ja...@aztec.co.uk>]

> machines boot cycle) that when we reboot (*every* monday morning in the
> wee hours) it's not terribly likely that anyone's going to be around to
> feed the password to the startup query.

Why reboot every week? My web servers are never rebooted, save for hardware
upgrades...


> This really needs to be automated.

There is a security risk associated with automating it. There are
instructions for removing the password from the cert in the on-line doc's /
FAQs.

Re: Urgent: remove password from server cert?

[Winged Wolf <wi...@spastic.org>]

(Ralf: Documentation bug, see below for details)

This is addressed in the FAQ:
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC31 .

"When you can be sure that your server is secure enough you perform two
steps:

1. Remove the encryption from the RSA private key (while perserving the
original file):

	$ cp server.key server.key.org
	$ openssl rsa -in server.key.org -out server.key

2. Make sure the server.key file is now only readable by root:

	$ chmod 400 server.key

Now server.key will contain an unencrypted copy of the key.  If you point
your server at this file it will not prompt you for a pass-phrase.
HOWEVER, if anyone gets this key they will be able to impersonate you on
the net.  PLEASE make sure that the permissions on that file are really
such that only root or the web server user can read it (preferably get
your web server to start as root but run as another server, and have the
key readable only by root)."

Ralf: document bug, it says "preferably get your webserver to start as
root but run as another server".  That should read '...as another user".

---
Mat Butler, Winged Wolf                       <wi...@spastic.org>
SPASTIC Web Engineer                  SPASTIC Server Administrator
----Begin FurryCode v1.3----
FCWw5amrsw A- C+ D H+++ M+++++[servercoder] P+ R++ T+++ W Z++ Sm++ 
RLCT/M*/LW* a cl/u/v++++>+++++ !d e- f>++++ h++ iwf+++ j p->+ sm++
----End FurryCode v1.3----


On Wed, 31 May 2000, Paul wrote:

> In a sudden (and late) moment of epiphany, I just realized (while
> writing a note to our CSA to please put the new server's startup in the
> machines boot cycle) that when we reboot (*every* monday morning in the
> wee hours) it's not terribly likely that anyone's going to be around to
> feed the password to the startup query.
> 
> This really needs to be automated.
> Help? =o)
> 
> Paul
> =====
> Friends are those who,
> when you must inconvenience them,
> are less bothered by it than you. ;o]
> 
> __________________________________________________
> Do You Yahoo!?
> Send instant messages & get email alerts with Yahoo! Messenger.
> http://im.yahoo.com/
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users@modssl.org
> Automated List Manager                            majordomo@modssl.org
>