?
Solved

openssl - should I generate a key with a password?

Posted on 2011-10-28
9
Medium Priority
?
473 Views
Last Modified: 2012-05-12
Right now when I generate a CSR, the procedure goes something like this:
- Generate .key with a password
- Use the .key to generate .csr
- Remove the password from .key file

Is having the password on there while I generate the CSR any better than initially generating the CSR using a .key without a password?  

If it's not better, what is the point of putting a password on the .key? Is this something that only applies when there are multiple users on the system?  (I am the only ssh user)
0
Comment
Question by:jeff_zucker
  • 4
  • 3
  • 2
9 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 37050002
It depends on the purpose for which you will be using the certificate.

If it is for a service, web, secure mail, secure POP, secure IMAP, etc. you should leave the key without a password. If you have a password, when the service starts, a prompt for the password will be generated.

If the certificate will be used as a means to identify you as a user accessing other systems, you could consider setting the password this way no one other than you will be able to use the key/certificate combination to authenticate into .....
Lets say there is an internal site that uses personal certificates as a means by authentication, and then a username/password for authorization.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 37050657
You can also remove the password before generating the request, and still generate the same request.  

The purpose of passwording the private key is that it is the "real" key for the set.  Anything encrypted using the private key is "known" to have come from the owner of the key.  Anyone with the public key (the certificate) can decrypt it, as well as encrypt messages of their own for decryption by the private key.  In practice, though, the passphrase tends to get in the way.  Anytime you use the private key, the system/application/whatever will need the passphrase to access it.  This means, for example, Apache needs to stop during load and ask for it.  When you're installing the certificate on a public web server, this is, at best, inconvenient.

If you do remove the passphrase, be *sure* to properly safeguard your key.  The file should have permissions of 400, owned by root.  This is not just a "multiple user system" practice - this is a basic security practice.
0
 
LVL 81

Expert Comment

by:arnold
ID: 37050673
A key when used by apache or any other service likely can not have 400 permissions as it is read in within the SSL certificate configuration section of the application at a time when it is running as the service account versus as the startup root..
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 51

Expert Comment

by:Steve Bink
ID: 37052698
>>> A key when used by apache or any other service likely can not have 400 permissions

All of my .pem files are 400, and Apache reads them just fine during startup.  

My installation is configured to run as a specific local user (not root) and is managed by the normal init.d script.  Looking at `ps -aF | grep 'apache'` shows all the threads under the auspices of the assigned user.  The private key is unencrypted, owned by root, and has 400 permissions.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 37052707
After thinking about your statement a few more moments, it made sense.  Why is my assigned user able to read the key?  Answer: it isn't.  Apache's parent thread spawns as root, then launches the other processes using the User directive.  Rechecking my ps output, I see the parent thread I missed the first time.  That also makes sense in the context of the service starting...all of them are owned by root.  

In any case, 400 permissions are the recommendation after decrypting your private key.
0
 

Author Comment

by:jeff_zucker
ID: 37058294
Very informative answers so far....

I am using this for web services and the reason I don't want a password is for when I restart Apache.  If I'm understanding your answers, there is *is* an advantage to using the 3 step process I mentioned vs. a 2 step process of generating a key without a password and then a csr (all with no pws)?  Just want to clarify if that process of putting  password on and then taking it off later is a waste of time or an important step.

Thanks.
0
 
LVL 81

Accepted Solution

by:
arnold earned 1000 total points
ID: 37058409
IT is up to you.

You could put it in place to avoid the certificate/key leaking out. Once you have the certificate, you can strip out the password from the key and be done with it.
This does not deal with individuals who have administrative access to the system gaining copying out the key and certificate.
If you keep a backup of the key/certificate offsite etc., it would be advisable to have a password on the private key.
0
 
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 1000 total points
ID: 37060300
>>> If you keep a backup of the key/certificate offsite etc., it would be advisable to have a password on the private key.

Agreed, though I would skip the "if" part of that.  :)  Make sure you keep a backup of the key, and keep the passphrase on it.  

That also sort of answers the other question: generate the key with a password, and remove it from the copy you use for Apache.  As a general rule, private keys need that protection.  Its unencrypted use with Apache is an exception to the rule.
0
 

Author Closing Comment

by:jeff_zucker
ID: 37072203
This really clears things up.  Thank you.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Loops Section Overview
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question