Rebooting web server w/o having to type certificate passphrase? - SSH

This is a discussion on Rebooting web server w/o having to type certificate passphrase? - SSH ; Every time I add a cert to a web server (to support https://) I have to be around and type the passphrase at reboot time. I have tried two kinds of certs: (1) cd /usr/share/ssl/certs; make testcert and (2) make ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Rebooting web server w/o having to type certificate passphrase?

  1. Rebooting web server w/o having to type certificate passphrase?


    Every time I add a cert to a web server (to support https://) I have
    to be around and type the passphrase at reboot time.

    I have tried two kinds of certs:

    (1) cd /usr/share/ssl/certs; make testcert

    and

    (2) make server.pem

    In case (2) the resultant cert is RSA and it doesn't need a password.
    I have to extract the 2 components manually from the .pem file and
    save them in separate files server.crt and server.key

    In case (1) the resultant cert is DSA and needs a password.

    It seems that (1) is more secure, but it requires the password to be
    typed.

    Is there a way to prevent the interactive password typing?

    Comments?

    TIA,

    -Ramon


  2. Re: Rebooting web server w/o having to type certificate passphrase?

    On Jun 11, 12:43 am, Ramon F Herrera wrote:
    > Every time I add a cert to a web server (to support https://) I have
    > to be around and type the passphrase at reboot time.
    >
    > I have tried two kinds of certs:
    >
    > (1) cd /usr/share/ssl/certs; make testcert
    >
    > and
    >
    > (2) make server.pem
    >
    > In case (2) the resultant cert is RSA and it doesn't need a password.
    > I have to extract the 2 components manually from the .pem file and
    > save them in separate files server.crt and server.key
    >
    > In case (1) the resultant cert is DSA and needs a password.
    >
    > It seems that (1) is more secure, but it requires the password to be
    > typed.
    >
    > Is there a way to prevent the interactive password typing?
    >
    > Comments?
    >
    > TIA,
    >
    > -Ramon


    Correction: it seems like in both cases (1) and (2) the key is RSA.

    -RFH



  3. Re: Rebooting web server w/o having to type certificate passphrase?

    Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:

    > Every time I add a cert to a web server (to support https://) I have
    > to be around and type the passphrase at reboot time.


    openssl rsa -in $server.key -out server_nopassword.key
    openssl x509 -in server.pem -out server_nopassword.pem

    cheers

  4. Re: Rebooting web server w/o having to type certificate passphrase?

    On Jun 11, 1:58 am, Burkhard Ott wrote:
    > Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:
    >
    > > Every time I add a cert to a web server (to support https://) I have
    > > to be around and type the passphrase at reboot time.

    >
    > openssl rsa -in $server.key -out server_nopassword.key
    > openssl x509 -in server.pem -out server_nopassword.pem
    >
    > cheers



    Thanks to Burkhard for his succinct explanation, which takes care of
    the syntax. Can anyone please delve into the semantics?

    TIA,

    -Ramon



  5. Re: Rebooting web server w/o having to type certificate passphrase?

    Ramon F Herrera writes:
    >On Jun 11, 1:58 am, Burkhard Ott wrote:
    >> Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:
    >>
    >> > Every time I add a cert to a web server (to support https://) I have
    >> > to be around and type the passphrase at reboot time.

    >>
    >> openssl rsa -in $server.key -out server_nopassword.key
    >> openssl x509 -in server.pem -out server_nopassword.pem


    >Thanks to Burkhard for his succinct explanation, which takes care of
    >the syntax. Can anyone please delve into the semantics?



    Its not the cert that is protected, its the private key (used to make
    the csr, which gets signed by the CA, which becomes the cert).

    Initially SSL was implemented to have the private key password
    encrypted that would have be entered upon each time the SSL protected
    process started up.

    The reasoning being, is if your private key is compromised, all SSL
    communication can be easily decoded if the traffic is intercepted. The
    private key is the whole key to any and all protection offered by SSL.

    Many admins find the convience of the private key not being password
    protected to auto-start the web process out-weighs (or they have no
    concept of what they are doing either way) the protection having the
    private-key password protected.

    What the commands above do is to remove any password on the private
    key and save the private key out fresh without the password on it.
    Thus if somebody compromised your server and took these keys, and had
    a way to intercept traffic going your way, they can decrypt all SSL traffic.

    If you leave the private keyfile password encrypted, and have to type
    in the password each time your web process starts, even if your
    machine is compromised, the hacker would still have to break the
    password protecting the private key in order to decrypt the SSL
    encryption traffic they intercept.

    So, its your choice. Convience, or security against that sort of attack.


  6. Re: Rebooting web server w/o having to type certificate passphrase?

    Ramon F Herrera writes:
    >In case (1) the resultant cert is DSA and needs a password.
    >It seems that (1) is more secure, but it requires the password to be typed.
    >Is there a way to prevent the interactive password typing?


    The only reason it's "more secure" is because it requires the password to
    be typed. Any mechanism for getting around this requirement constitutes
    lowering the security so as to be identical. I agree with lowering the
    security in this way, and I recommend doing so in the standard way, by
    using your method #2 (empty passphrase).

  7. Re: Rebooting web server w/o having to type certificate passphrase?

    In comp.security.misc Ramon F Herrera wrote:
    > Is there a way to prevent the interactive password typing?


    No secure way.

    Yours,
    VB.
    --
    "Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
    geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

    Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

+ Reply to Thread