> >However each time I start the httpsd daemon, it always asks me for the
> >private
> >key. Is there any command option to save the private key?
>
> In scanning the posts, .. I am not sure anyone gave you the correct answer
> - if you need auto-start (which we always do here, .. I, for one, would not
> wish to schlep down to the NOC in case the UPS ran out!), you need to
> remove the passphrase from the key.
It's not actually necessary to strip the passphrase or run to the NOC. As a previous
post hinted
the following (global server config only) will do the trick:
SSLPassPhraseDialog exec:/path/to/script/get_pass
where get_pass is a script, executable etc. that picks up the server identifiers
passed to it when
mod_ssl/Apache starts up. mod_ssl then sends:
ServerName:port
as the first argument to get_pass, and get_pass is called once for the global server
config (if
SSLEngineOn) and once for each SSL-enabled virtual server.
Below is a highly simplified Perl script that does the job. You could also have this
script get the
actual passwords via a secure channel, like an ssh tunnel to a remote machine that was
physically secure, and thereby avoid having even a root.root 0700 file on the unsecure
server
with the plain text passphrases in.
#!/usr/bin/perl
# check which virutal's passphrase is required and send it to STDOUT
if ($ARGV[0] =~ /^ssl\.host1\.co\.uk/) {
print "hubble bubble toil and trouble";
}
elsif ($ARGV[0] =~ /^ssl\.host2\.com/) {
print "a c&y%t*c passh phrase";
}
elsif ($ARGV[0] =~ /^ssl\.host3\.to/) {
print "passphrase number three";
}
Nothing can be 100% secure of course but the above is better than castrating the
private keys
completely I think.
Mark
Mark Tiramani
FREDO Internet Services
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
