Re: httpd with SSL

Mon, 06 Sep 2004 23:10:23 -0700 

     Yeessss ... thanks a lot.

           Cristi
On Mon, 2004-09-06 at 18:20, Josh Hansen wrote:
> Cristi Tauber wrote:
> 
> >        Hello,
> >    I installed from ports (switched from sources ... hope to learn :) )
> >apache 1.3.29 with mod-ssl. All good ... httpd works ... i issued a
> >certificate ... but now when my computer reboots and apache starts in
> >ssl mode it asks for pass phrase !!! So ... if computer reboots over
> >night someone have to write the pass phrase so the computer can start.
> >This is annoying ... how can i skip this ... can i enter the passphrase
> >in my boot script ? How ???
> >
> >         Cristi
> >
> >_______________________________________________
> >[EMAIL PROTECTED] mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >To unsubscribe, send any mail to "[EMAIL PROTECTED]"
> >  
> >
> Hello Cristi,
> 
> This is from the apache site:
> 
> How can I get rid of the pass-phrase dialog at Apache startup time?
> 
> The reason why this dialog pops up at startup and every re-start is that 
> the RSA private key inside your server.key file is stored in encrypted 
> format for security reasons. The pass-phrase is needed to be able to 
> read and parse this file. When you can be sure that your server is 
> secure enough you perform two steps:
> 
>    1. Remove the encryption from the RSA private key (while preserving 
> the original file):
> 
>       $ cp server.key server.key.org
>       $ openssl rsa -in server.key.org -out server.key
> 
>    2. Make sure the server.key file is now only readable by root:
> 
>       $ chmod 400 server.key
> 
> Now server.key will contain an unencrypted copy of the key. If you point 
> your server at this file it will not prompt you for a pass-phrase. 
> HOWEVER, if anyone gets this key they will be able to impersonate you on 
> the net. PLEASE make sure that the permissions on that file are really 
> such that only root or the web server user can read it (preferably get 
> your web server to start as root but run as another server, and have the 
> key readable only by root).
> 
> As an alternative approach you can use the ``SSLPassPhraseDialog 
> exec:/path/to/program'' facility. But keep in mind that this is neither 
> more nor less secure, of course.
> 

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to