Standard location for apache ssl certificates .key files.
On Mon, Aug 18, 2008 at 01:34:51AM +0200, tacone wrote:
> Hello, we're building an ssl plugin for the Apache configurator
> software we're building.
> As we try to implement and promote the best practices, we found
> ourselves stuck when trying to determine where the .key file of the
> certificate should be placed, and with which permissions.
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.
When apache loads the private keys, it is running as root, and will not
> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.
Allowing private keys to be readable my www-data is very bad idea,
security-wise. This means any program running under CGI, PHP, etc, will
be able to read these files. This totally breaks the purpose of the
"private" part of private keys.
> Which directory ? Which permissions? What's the best practice ?
/etc/ssl/private is the right place, the permissions are already correct
(rwx user root, x group ssl-cert). Manipulating private keys from within
Apache is not something I would recommend.
Ubuntu Security Team
ubuntu-server mailing list
More info: https://wiki.ubuntu.com/ServerTeam