[brlug-general] Where do you put your SSL files?

John Hebert johnahebert at yahoo.com
Wed Nov 28 00:41:55 CST 2007 

Ray,

You are right, I was wrong. Once more, I should have researched before mouthing off. :)

SSL _is_ PKI. (http://en.wikipedia.org/wiki/Transport_Layer_Security)

Thanks,
John Hebert

----- Original Message ----
From: -ray <ray at ops.selu.edu>
To: general at brlug.net
Sent: Wednesday, November 28, 2007 12:16:54 AM
Subject: Re: [brlug-general] Where do you put your SSL files?



Unless you want to run back to the safe for every single HTTPS 
connection, then your web server needs the private key file.

The SSL certificate, in simplest terms is your public key.  It also 
contains your Certificate Authority (CA) info.  After verifying your 
certificate and CA, the client can then encrypt data using your public 
key, and send it to the webserver.  In order to decrypt said data, the 
webserver *needs* the private key.

Of course SSL is much more complicated, but the encryption part is 
basically public/private key encryption.  If you have data encrypted
 with 
the public key, you need the private key to decrypt it.

The certificate is useless without the private key.


ray


On Tue, 27 Nov 2007, John Hebert wrote:

> Er, are you keeping your SSL private key files on your server?
 Shouldn't 
> those be on an encrypted thumb drive and locked away in a safe?
>
> For SSL, you only need your private keys when generating/signing 
> certificates. Maybe you are thinking of PKI?
>
> Here's a handy analogy: Apps aren't supposed to touch your privates.
>
> John Hebert
>
> ----- Original Message ----
> From: Dustin Puryear <dustin at puryear-it.com>
> To: general at brlug.net
> Sent: Tuesday, November 27, 2007 9:16:45 AM
> Subject: Re: [brlug-general] Where do you put your SSL files?
>
>
> Well, you can't put them on a shared drive unless you are very
 careful
> with perms on the .key files, no?
>
> John Hebert wrote:
>> 1. We keep our certs in an application-specific area
> (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with
 our servers. If
> you have lots of apps on the server that need a cert, then put them
 in a
> central location like /usr/shared/ssl/certs like you said.
>>
>> If you have lots of certs, you would probably want to store them
> centrally and categorize them differently. Depends on the situation.
>>
>> BTW, you don't have to store certs for specific servers on the
 server
> itself. They could all be put in a shared drive somewhere, as long as
> your app knows where to find them.
>>
>> 2. Use a cert vendor that gives you better management tools for your
> certs. We use Entrust.com, but then we don't manage more than a few
> dozen certs for customers. Don't have much experience with the
 others.
>>
>> John Hebert
>>
>> ----- Original Message ----
>> From: Dustin Puryear <dustin at puryear-it.com>
>> To: Sage Members <sage-members at sage.org>; general at brlug.net;
> nolug at nolug.org
>> Sent: Monday, November 26, 2007 1:52:48 PM
>> Subject: [brlug-general] Where do you put your SSL files?
>>
>>
>> So, a little issue I see a lot is that SSL cert files seem to go
>> everywhere. I may see some under /var/shared/ssl/certs/, some under
>> application-specific directories (e.g., /etc/httpd/conf/ssl.*/,
>> /etc/ldap/), etc.
>>
>> What are your thoughts on:
>>
>> 1. Putting all certs under a standardized location, e.g.,
>> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them
> for
>>  a
>> little more security.
>>
>> 2. Keeping them in application-specific areas.
>>
>> Also, how are you keeping track of cert expiration? We usually get
>> emails from the SSL cert vendor about renewals, but..
>>
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>
>
>
>
>
>    
  ____________________________________________________________________________________
> Be a better pen pal.
> Text or chat with friends inside Yahoo! Mail. See how.
  http://overview.mail.yahoo.com/
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean                              http://www.r-a-y.org
Systems Engineer                    Southeastern Louisiana University
IBM Certified Specialist            AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


_______________________________________________
General mailing list
General at brlug.net
http://mail.brlug.net/mailman/listinfo/general_brlug.net





      ____________________________________________________________________________________
Be a better sports nut!  Let your teams follow you 
with Yahoo Mobile. Try it now.  http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ

More information about the General mailing list