Viktor,
On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
$ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
chmod 640 for the private keys for Apache. (and postfix and others use these certs; at least they are in their confs)
I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it. That's why I recommend the
umask approach.
You can adjust the umask to suit your needs. With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty. There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.
Rich got me some help and I have put the following together:
Set the following variables:
countryName=
stateOrProvinceName=
localityName=
organizationName=
organizationalUnitName=
emailAddress=postmaster@$your_domain_tld
Then the following commands create the certs:
restore_mask=$(umask -p)
umask 077
cd /etc/pki/tls
commonName=$your_host_tld
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
commonName=webmail$your_domain_tld
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
commonName=localhost
openssl req -new -outform PEM -out certs/$commonName.crt -newkey
rsa:2048 -nodes -keyout private/$commonName.key -keyform PEM -days 3650
-x509 -extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
chmod 640 private/$commonName.key
$restore_mask
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users