File permissions on keys, csr, and certificates

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

File permissions on keys, csr, and certificates

OpenSSL - User mailing list
Hi - I created a question on Super User about questions on file permissions and what the file permissions should be on created files. See link here:


Could someone comment on what file permissions should be on each file and who should own them. 

Thank you.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: File permissions on keys, csr, and certificates

Peter Magnusson
root:root, chmod 400. And ideally your Root CA files should not be
hosted on your web server, otherwise a server compromise also
compromises your root authority.

https://redmine.lighttpd.net/projects/1/wiki/docs_ssl
Permissions
Be careful to keep your .pem file private! Lighttpd reads all pemfiles
at startup, before dropping privileges. It is therefore best to make
the pem file owned by root and readable by root only:
$ chown root:root /etc/lighttpd/ssl/example.org.pem
$ chmod 400 /etc/lighttpd/ssl/example.org.pem
On Fri, Nov 9, 2018 at 10:04 PM Ikwyl6 via openssl-users
<[hidden email]> wrote:

>
> Hi - I created a question on Super User about questions on file permissions and what the file permissions should be on created files. See link here:
>
> https://superuser.com/questions/1368747/file-permissions-for-openssl-created-files-for-https-web-server-lighttpd
>
> Could someone comment on what file permissions should be on each file and who should own them.
>
> Thank you.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users