remove passphrase from the key?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

remove passphrase from the key?

Ken Loomis-2
Hello:

I have some directions on how to build a self-signed certificate which consists of 5 steps.
1) create a key and a request
2) Remove the passphrase from the key (optional)
3) sign the certificate
4) install the cert and the key
5) set the SSLConf to point to the cert and the key.

My question is what are the effects of removing the passphrase from key?  Is the data still encrypted?  Also, does anything in the process need the privkey.pem file that is created once the cert and key are created?

Thanks,

Ken


Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Bernhard Fröhlich-2
kloomis wrote:

> Hello:
>
> I have some directions on how to build a self-signed certificate which
> consists of 5 steps.
> 1) create a key and a request
> 2) Remove the passphrase from the key (optional)
> 3) sign the certificate
> 4) install the cert and the key
> 5) set the SSLConf to point to the cert and the key.
>
> My question is what are the effects of removing the passphrase from key?
Advantage: You can use the key without supplying a passphrase, this
simplifies for example the startup procedure of an SSL enabled Apache server
Disadvantage: You can use the key without supplying a passphrase, this
is very bad if someone can read privkey.pem who should not.
> Is the data still encrypted?  
No. Even if it were it would be no use since everyone could decrypt it
without a passphrase.
> Also, does anything in the process need the privkey.pem file that is
> created once the cert and key are created?
privkey.pem is not needed by the process of certificate generation once
the request is generate, but you'll need it once you want to use this
certificate to authenticate yourself, for example when opening a SSL
connection or signing an email.
> Thanks,
>
> Ken
I'm not sure if i did understand your problem, in case I missed please
clarify your needs.

Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Ken Loomis-2
At 11:24 PM 3/6/2006 +0100, you wrote:
Also, does anything in the process need the privkey.pem file that is created once the cert and key are created?

privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email.
I'm not sure if i did understand your problem, in case I missed please clarify your needs.

Ted, thanks for your reply.

To clarify the above question, once the certificate has been generated and signed, is it necessary that the file privkey.pem be present for normal encryption and decryption of html data transmissions.  If it is needed I don't see where in the sslconf file it is referenced.

Thanks,

Ken
Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Kyle Hamilton
In reply to this post by Ken Loomis-2
Please see comments inline with the questions.

On 3/6/06, kloomis <[hidden email]> wrote:

>  Hello:
>
>  I have some directions on how to build a self-signed certificate which
> consists of 5 steps.
>  1) create a key and a request
>  2) Remove the passphrase from the key (optional)
>  3) sign the certificate
>  4) install the cert and the key
>  5) set the SSLConf to point to the cert and the key.
>
>  My question is what are the effects of removing the passphrase from key?

No need to enter a passphrase to use the key.  This means that you
don't need to type in (or supply) the passphrase during the startup;
however, if anyone else gets their hands on the privkey.pem file it
means that they can masquerade as you (and listen in on all of your
traffic).

> Is the data still encrypted?

The SSL/TLS session is still encrypted on the wire.  SSL/TLS has never
guaranteed anything beyond the encryption of the data on the wire,
though, so adequate security (possibly including encryption for the
database you query or such) needs to be built into your application as
well.

Also, does anything in the process need the
> privkey.pem file that is created once the cert and key are created?

Without the privkey.pem, the cert is useless.  The certificate 'binds'
an identity to a public key; however, it only holds the public key,
not the private key.  The nature of the encryption method used is that
it's very difficult to decrypt data encrypted with the private key
without the public key, and very difficult to decrypt data encrypted
with the public key without the private key.

The practical upshot of this is, yes, your apache configuration needs
the privkey.pem file in order to do SSL/TLS at all.

>
>  Thanks,
>
>  Ken

-Kyle
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Kyle Hamilton
In reply to this post by Ken Loomis-2
SSLPrivateKeyFile <filename>

At least that's what it was on older versions of Apache; check the
documentation on mod_ssl for more information.

-Kyle H

On 3/6/06, kloomis <[hidden email]> wrote:

>  At 11:24 PM 3/6/2006 +0100, you wrote:
>
> Also, does anything in the process need the privkey.pem file that is created
> once the cert and key are created?
>
>
> privkey.pem is not needed by the process of certificate generation once the
> request is generate, but you'll need it once you want to use this
> certificate to authenticate yourself, for example when opening a SSL
> connection or signing an email.
>  I'm not sure if i did understand your problem, in case I missed please
> clarify your needs.
>
>  Ted, thanks for your reply.
>
>  To clarify the above question, once the certificate has been generated and
> signed, is it necessary that the file privkey.pem be present for normal
> encryption and decryption of html data transmissions.  If it is needed I
> don't see where in the sslconf file it is referenced.
>
>  Thanks,
>
>  Ken
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Ken Loomis-2
In reply to this post by Ken Loomis-2
At 11:17 PM 3/6/2006 -0700, you wrote:
The practical upshot of this is, yes, your apache configuration needs
the privkey.pem file in order to do SSL/TLS at all.

I have myServer.csr, myServer.cert and myServer.key located in ssl.csr, ssl.crt, and ssl.key respectively.  The ssl.conf points to the cert and the key.  There is a privkey.pem in ssl.pem, but there is no reference in the ssl.conf to it.

I have these settings in the ssl.conf:

#   Server Certificate:
SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert

#   Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key

#   Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert

Should the private key be the .pem?  Is the .key a public key?  Where should it go?

Ken.









>
>  Thanks,
>
>  Ken

-Kyle
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: remove passphrase from the key?

Bernhard Fröhlich-2
kloomis wrote:

> At 11:17 PM 3/6/2006 -0700, you wrote:
>> The practical upshot of this is, yes, your apache configuration needs
>> the privkey.pem file in order to do SSL/TLS at all.
>
> I have myServer.csr, myServer.cert and myServer.key located in
> ssl.csr, ssl.crt, and ssl.key respectively.  The ssl.conf points to
> the cert and the key.  There is a privkey.pem in ssl.pem, but there is
> no reference in the ssl.conf to it.
>
> I have these settings in the ssl.conf:
>
> #   Server Certificate:
> SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert
>
> #   Server Private Key:
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key
>
> #   Certificate Authority (CA):
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert
>
> Should the private key be the .pem?  Is the .key a public key?  Where
> should it go?
The private key (which also includes the public part) should be in the
file referenced by SSLCertificateKeyFile. I think you did name the
private keyfile something.key. SSLCertificateFile points to the
certificate file which was generated by the CA (key and certificate may
be in the same file).

BTW, SSLCACertificateFile should contain you CA's cert.
>
> Ken.
Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment