Rebooting web server w/o having to type certificate passphrase?

Every time I add a cert to a web server (to support https://) I have
to be around and type the passphrase at reboot time.

I have tried two kinds of certs:

(1) cd /usr/share/ssl/certs; make testcert

and

(2) make server.pem

In case (2) the resultant cert is RSA and it doesn't need a password.
I have to extract the 2 components manually from the .pem file and
save them in separate files server.crt and server.key

In case (1) the resultant cert is DSA and needs a password.

It seems that (1) is more secure, but it requires the password to be
typed.

Is there a way to prevent the interactive password typing?

Comments?

TIA,

-Ramon

Re: Rebooting web server w/o having to type certificate passphrase?

On Jun 11, 12:43 am, Ramon F Herrera wrote:
> Every time I add a cert to a web server (to support https://) I have
> to be around and type the passphrase at reboot time.
>
> I have tried two kinds of certs:
>
> (1) cd /usr/share/ssl/certs; make testcert
>
> and
>
> (2) make server.pem
>
> In case (2) the resultant cert is RSA and it doesn't need a password.
> I have to extract the 2 components manually from the .pem file and
> save them in separate files server.crt and server.key
>
> In case (1) the resultant cert is DSA and needs a password.
>
> It seems that (1) is more secure, but it requires the password to be
> typed.
>
> Is there a way to prevent the interactive password typing?
>
> Comments?
>
> TIA,
>
> -Ramon

Correction: it seems like in both cases (1) and (2) the key is RSA.

-RFH

Re: Rebooting web server w/o having to type certificate passphrase?

Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:

> Every time I add a cert to a web server (to support https://) I have
> to be around and type the passphrase at reboot time.

openssl rsa -in $server.key -out server_nopassword.key
openssl x509 -in server.pem -out server_nopassword.pem

cheers

Re: Rebooting web server w/o having to type certificate passphrase?

On Jun 11, 1:58 am, Burkhard Ott wrote:
> Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:
>
> > Every time I add a cert to a web server (to support https://) I have
> > to be around and type the passphrase at reboot time.
>
> openssl rsa -in $server.key -out server_nopassword.key
> openssl x509 -in server.pem -out server_nopassword.pem
>
> cheers


Thanks to Burkhard for his succinct explanation, which takes care of
the syntax. Can anyone please delve into the semantics?

TIA,

-Ramon

Re: Rebooting web server w/o having to type certificate passphrase?

Ramon F Herrera writes:
>On Jun 11, 1:58 am, Burkhard Ott wrote:
>> Am Sun, 10 Jun 2007 22:43:22 -0700 schrieb Ramon F Herrera:
>>
>> > Every time I add a cert to a web server (to support https://) I have
>> > to be around and type the passphrase at reboot time.
>>
>> openssl rsa -in $server.key -out server_nopassword.key
>> openssl x509 -in server.pem -out server_nopassword.pem

>Thanks to Burkhard for his succinct explanation, which takes care of
>the syntax. Can anyone please delve into the semantics?


Its not the cert that is protected, its the private key (used to make
the csr, which gets signed by the CA, which becomes the cert).

Initially SSL was implemented to have the private key password
encrypted that would have be entered upon each time the SSL protected
process started up.

The reasoning being, is if your private key is compromised, all SSL
communication can be easily decoded if the traffic is intercepted. The
private key is the whole key to any and all protection offered by SSL.

Many admins find the convience of the private key not being password
protected to auto-start the web process out-weighs (or they have no
concept of what they are doing either way) the protection having the
private-key password protected.

What the commands above do is to remove any password on the private
key and save the private key out fresh without the password on it.
Thus if somebody compromised your server and took these keys, and had
a way to intercept traffic going your way, they can decrypt all SSL traffic.

If you leave the private keyfile password encrypted, and have to type
in the password each time your web process starts, even if your
machine is compromised, the hacker would still have to break the
password protecting the private key in order to decrypt the SSL
encryption traffic they intercept.

So, its your choice. Convience, or security against that sort of attack.

Re: Rebooting web server w/o having to type certificate passphrase?

Ramon F Herrera writes:
>In case (1) the resultant cert is DSA and needs a password.
>It seems that (1) is more secure, but it requires the password to be typed.
>Is there a way to prevent the interactive password typing?

The only reason it's "more secure" is because it requires the password to
be typed. Any mechanism for getting around this requirement constitutes
lowering the security so as to be identical. I agree with lowering the
security in this way, and I recommend doing so in the standard way, by
using your method #2 (empty passphrase).

Re: Rebooting web server w/o having to type certificate passphrase?

In comp.security.misc Ramon F Herrera wrote:
> Is there a way to prevent the interactive password typing?

No secure way.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"