[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls private key

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: tls private key
From: Alexander Samad <alex@samad.com.au>
Date: Fri, 26 Mar 2010 09:32:35 +1100
In-reply-to: <6C447584419BFE4E83D46E88F81314862FAEB36DEB@EXCH07-05.apollogrp.edu>
References: <20100116070338.GD2439@samad.com.au> <836a6dcf1003222320r711a471di5a4697fefcc038b5@mail.gmail.com> <6C447584419BFE4E83D46E88F81314862FAEB36DEB@EXCH07-05.apollogrp.edu>

On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
<Chris.Jacobs@apollogrp.edu> wrote:
> Alexander,

Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents

>
> I don't know if they only get read at startup or not... but it does bring up the question: Why?

I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src,  but.
>
> Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the user/group you use to run slapd).

yep I do, root.openldap (debian)

>
> If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first.  Then trust the file system permissions to do their job.

so why allow for encrypted private keys :)

>
> Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above.

The above is already done.

>
> However, you could always just /try/ - if it works, then you know the answer.  Just get used to restarting/starting slapd being a needless PITA.

not sure where you got the idea I haven't already done this ?

And I am note sure why its bad to look for another layer of security



>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Alexander Samad
> Sent: Monday, March 22, 2010 11:21 PM
> To: openldap-technical@openldap.org
> Subject: Fwd: tls private key
>
> Hi
>
> THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
>
> will this be okay until such a time as slapd get restart ?
>
> Alex
>
>
> ---------- Forwarded message ----------
> From: Alex Samad <alex@samad.com.au>
> Date: Sat, Jan 16, 2010 at 6:03 PM
> Subject: tls private key
> To: openldap-technical@openldap.org
>
>
> Hi
>
>
> I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
>
> the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt  the file start slapd and then remove the un encrypted file ?
>
> Alex
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
> VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
> =iN8i
> -----END PGP SIGNATURE-----
>
> This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
>
>
>

Follow-Ups:
- Re: tls private key
  - From: Tyler Gates <tgates81@gmail.com>

References:
- Fwd: tls private key
  - From: Alexander Samad <alex@samad.com.au>
- RE: tls private key
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: Problem with getent passwd
Next by Date: Re: tls private key
Index(es):
- Chronological
- Thread