[brlug-general] Where do you put your SSL files?

John Hebert johnahebert at yahoo.com
Tue Nov 27 23:13:40 CST 2007 

Er, are you keeping your SSL private key files on your server? Shouldn't those be on an encrypted thumb drive and locked away in a safe?

For SSL, you only need your private keys when generating/signing certificates. Maybe you are thinking of PKI? 

Here's a handy analogy: Apps aren't supposed to touch your privates.

John Hebert

----- Original Message ----
From: Dustin Puryear <dustin at puryear-it.com>
To: general at brlug.net
Sent: Tuesday, November 27, 2007 9:16:45 AM
Subject: Re: [brlug-general] Where do you put your SSL files?


Well, you can't put them on a shared drive unless you are very careful
with perms on the .key files, no?

John Hebert wrote:
> 1. We keep our certs in an application-specific area
 (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our servers. If
 you have lots of apps on the server that need a cert, then put them in a
 central location like /usr/shared/ssl/certs like you said.
> 
> If you have lots of certs, you would probably want to store them
 centrally and categorize them differently. Depends on the situation.
> 
> BTW, you don't have to store certs for specific servers on the server
 itself. They could all be put in a shared drive somewhere, as long as
 your app knows where to find them.
> 
> 2. Use a cert vendor that gives you better management tools for your
 certs. We use Entrust.com, but then we don't manage more than a few
 dozen certs for customers. Don't have much experience with the others.
> 
> John Hebert
> 
> ----- Original Message ----
> From: Dustin Puryear <dustin at puryear-it.com>
> To: Sage Members <sage-members at sage.org>; general at brlug.net;
 nolug at nolug.org
> Sent: Monday, November 26, 2007 1:52:48 PM
> Subject: [brlug-general] Where do you put your SSL files?
> 
> 
> So, a little issue I see a lot is that SSL cert files seem to go
> everywhere. I may see some under /var/shared/ssl/certs/, some under
> application-specific directories (e.g., /etc/httpd/conf/ssl.*/,
> /etc/ldap/), etc.
> 
> What are your thoughts on:
> 
> 1. Putting all certs under a standardized location, e.g.,
> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them
 for
>  a
> little more security.
> 
> 2. Keeping them in application-specific areas.
> 
> Also, how are you keeping track of cert expiration? We usually get
> emails from the SSL cert vendor about renewals, but..
> 

_______________________________________________
General mailing list
General at brlug.net
http://mail.brlug.net/mailman/listinfo/general_brlug.net





      ____________________________________________________________________________________
Be a better pen pal. 
Text or chat with friends inside Yahoo! Mail. See how.  http://overview.mail.yahoo.com/

More information about the General mailing list