Hi, Thanks. I decrypted it this afternoon actually and it works fine. Still bugs me that it doesn't work with it encrypted, but that's another day [and not my problem :)]
However, the next problem is... With Two vhosts configured, apache-ssl seems to only send out the cert for the 'default' domain regardless of which vhost I go after. Even though each vhost has a seperate specified .pem file. Yippi. :( ~ Darryl ----- Original Message ----- From: "Craig Sanders" <[EMAIL PROTECTED]> To: "D. Clarke" <[EMAIL PROTECTED]> Cc: <debian-isp@lists.debian.org> Sent: Sunday, March 02, 2003 8:13 PM Subject: Re: Apache-SSL 'n Cert Fun > On Sun, Mar 02, 2003 at 08:01:20AM -0500, D. Clarke wrote: > > apache-ssl works fine without an encrypted test key & cert... once > > encrypted pewf, it dies (which I need, because that's how the client > > gave it to me... ugh.) > > > > Any new ideas? :) > > use openssl and the pass-phrase to decrypt the cert. then configure > apache to use the decrypted copy. > > > using encrypted certificates on a web server is worse than useless. > either: > > 1. you store the pass-phrase on the server so that the startup > scripts can read it (which is pointless, any attacker that could get an > unencrypted cert could also get an encrypted cert plus the passphrase) > > or > > 2. you manually enter the passphrase every time apache is restarted. > this effectively prevents automatic startup of your web server at boot > time (e.g after a power failure, or kernel upgrade etc), and also makes > it impossible for staff to restart the server unless they know the > pass-phrases for all encrypted keys used by the server. > > > since there's no security advantage in using encrypted certificates > (item #1 above), and significant operational disadvantages (item #2), > your best bet is to use unencrypted certificates. > > > craig > > -- > craig sanders <[EMAIL PROTECTED]> > > Fabricati Diem, PVNC. > -- motto of the Ankh-Morpork City Watch > >
