Answer the question
In order to leave comments, you need to log in
F
F
Fixid2016-04-25 13:46:16
Fixid, 2016-04-25 13:46:16
How to securely store SSL certificates in Linux?
Good afternoon, how to store SSL certificates in Linux as securely as possible?
On Ubuntu I use an encrypted .key file, Nginx asks for a password at startup. The scheme seems to be resistant to theft and compromise.
On Debian 8, starting with Nginx 1.6, support for encrypted .key files was removed, the password had to be removed.
How now correctly to store the certificate? Where, with what rights and in what form?
It is generally recommended to chmod 600 on files
2 answer(s)
@CityCat4
@Gem
C
CityCat4, 2016-04-25 @CityCat4
Encrypted key-file - paranoia and unnecessary difficulties. On CentOS, it is stored in /etc/pki/tls/private. Permissions for the directory are 0700, for all keys - 0400. If you do not rely on permissions, then you assume that you have been hacked at the kernel level. If that's true, then it's useless. Therefore, store in decrypted form where, according to the layout, they should be with the rights 0400 for files and 0700 for the directory - and do not bother.
G
Gem, 2016-04-27 @Gem
I can suggest:
1. Dig towards the NSS crypto provider - it has its own containers
2. SELinux or other schemes for strengthening access control
3. Hooks with crypto containers aka LUKS
4. pkcs11 hardware tokens (I won’t tell you about nginx)
one way or another you will need to do strapping
Similar questions
V
S
S
V
vovochka4042015-01-15 04:12:43
Nginx+php-fpm: sometimes another virtual host opens, how to fix it?
4Reply
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question