Alex, encrypting the private key really isn't necessary and I highly doubt it would work for your application nor be worth the hassel. Securing via file permisssions as mentioned previously is really the best way to tackle this. Think of 'other layers of protection' being firewalls, intrusion detection, restricted logins, chroot jails, etc., etc... Encryption really works best for UDP like transportation like email where you cannot guarantee the recipient is the only person able to 'see' the document ;)
On Mar 25, 2010, at 6:32 PM, Alexander Samad alex@samad.com.au wrote:
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of being in trouble from the parents
I don't know if they only get read at startup or not... but it does bring up the question: Why?
I would like to have another layer of protection on the machine / certificates. I would have thought it would have been a quick and easy question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/ ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first. Then trust the file system permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know the answer. Just get used to restarting/starting slapd being a needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
Thanks,
- chris
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces +chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Alexander Samad Sent: Monday, March 22, 2010 11:21 PM To: openldap-technical@openldap.org Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ---------- From: Alex Samad alex@samad.com.au Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8 VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH =iN8i -----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.