On Wed, 24 Jan 2018, Viktor Dukhovni wrote:
One one want to start with "umask 077", to avoid creating
world-readable private key files. This should not be
necessary with OpenSSL 1.1.0 and later, but older versions
(e.g. OpenSSL 1.0.2) create all output files with default
permissions, constrained only by the user's umask.
In addition to the umask, some of the directories involved
should probably be mode 0700.
For long-term CA keys, one would typically want to
passphrase-protect the private key (thus replace the
"-nodes" in the first command -aes128 or -aes256, and
then type the password again as needed to sign CSRs
and certificates).
Good advice!
I myself have all the files in a crypted filesystem with a long key,
which I only unpack/activate with loop device when needed.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
