[arch-general] Lighttpd and passphrase protected SSL certificate
C Anthony Risinger
anthony at xtfx.me
Sun Jan 15 15:07:33 EST 2012
On Jan 15, 2012 12:58 PM, "Mauro Santos"
<registo.mailling<registo.mailling at gmail.com>
@ <registo.mailling at gmail.com>gmail.com <registo.mailling at gmail.com>> wrote:
>
> On 15-01-2012 16:38, Audric Schiltknecht wrote:
> >
> > Upstream says (http://<http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
redmine.lighttpd.net <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
/projects/1/wiki/ <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
Docs:SSL <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>) that
> > the SSL password must be enter manually on each lighttpd start (or to
> > remove the passwod from the key file, which I don't want to do :))
>
> Just out of curiosity (and maybe learn something) why not? If you have
> the certificate and the password stored together then I'd say the
> password is not protecting much.
I'm not aware of a reason to lock the keyfile ... fairly standard AFAIK.
Though if you wanted to get fancy, you could probably store the pass in the
kernel and use some request-key/keyctl trickery to pull it out when needed
... would need to be loaded at least once on boot, but its the same place
SSH/GPG keeps your keys IIRC, so it's safe ...
... maybe enc the password with your TPM, then decrypt into kernel keyring,
then load into openssl when requested ... :-O
Or just unlock the keyfile.
--
C Anthony
More information about the arch-general
mailing list