FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 08-17-2008, 11:34 PM
tacone
 
Default Standard location for apache ssl certificates .key files.

Hello, we're building an ssl plugin for the Apache configurator
software we're building.

As we try to implement and promote the best practices, we found
ourselves stuck when trying to determine where the .key file of the
certificate should be placed, and with which permissions.

/etc/ssl/private seems the best option, but it's (correctly) readable
only by root, so Apache complains that files either doesn't exist or
it's empty.
We could easily create our own /etc/apache2/ssl/private directory
owned by www-data, but first we'd like to know if there's already a
standard location about storing SSL certificates to be used by Apache.

Which directory ? Which permissions? What's the best practice ?

Thank you very much for your help

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-18-2008, 08:51 AM
"Neil Wilson"
 
Default Standard location for apache ssl certificates .key files.

2008/8/18 tacone <tacone@gmx.net>:
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.

That directory should have execute permissions by the ssl-cert group
and keys should be readable by members of the ssl-cert group.

Interestingly on the latest version of Hardy that seems to have
changed to unknown group #89.

> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.
>
> Which directory ? Which permissions? What's the best practice ?

Certainly there needs to be a standard directory where https
certificates are stored. Ultimately those certificates might not be
used just by apache, but other httpd daemons like nginx. The reason I
store ours in /etc/ssl/ is so that switching between http daemons is
that much easier.

A solution would be to reinstate the ssl-certs group correctly in the
package controlling /etc/ssl/private, perhaps consider setGID the
directory, and add the apache user to the ssl certs group. It's never
a problem for nginx, which doesn't drop privileges.

--
Neil Wilson

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-18-2008, 05:26 PM
Kees Cook
 
Default Standard location for apache ssl certificates .key files.

Hi,

On Mon, Aug 18, 2008 at 01:34:51AM +0200, tacone wrote:
> Hello, we're building an ssl plugin for the Apache configurator
> software we're building.
>
> As we try to implement and promote the best practices, we found
> ourselves stuck when trying to determine where the .key file of the
> certificate should be placed, and with which permissions.
>
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.

When apache loads the private keys, it is running as root, and will not
complain.

> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.

Allowing private keys to be readable my www-data is very bad idea,
security-wise. This means any program running under CGI, PHP, etc, will
be able to read these files. This totally breaks the purpose of the
"private" part of private keys.

> Which directory ? Which permissions? What's the best practice ?

/etc/ssl/private is the right place, the permissions are already correct
(rwx user root, x group ssl-cert). Manipulating private keys from within
Apache is not something I would recommend.

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 04:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org