> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > >> $ umask 077 # avoid world-readable private keys > > Perhaps (no perhaps about it) this is old information, but I picked up that I needed: > > chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs) I strive to avoid the private disclosure race of first creating a world-readable file, and then trying to do a quick chmod before the bad guys get around to opening it. That's why I recommend the umask approach. You can adjust the umask to suit your needs. With OpenSSL 1.1.0, if I recall correctly "keyout" files and the like are automatically opened mode "0600". Rich Salz, who wrote the CLI option processing code for 1.1.0 will correct me, if my memory if faulty. There are still a lot of users with 1.0.2 or earlier, and OpenSSL cannot always figure out which files end up having private keys in them, so the umask approach is a good precaution to keep using. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users