Menu
▾
▴
Re: [webmin-l] Webmin certificate(s) location and TinyCA2
|
From: Jamie C. <jca...@we...> - 2006-07-29 18:46:04
|
On 27/Jul/2006 21:01 Robert Moskowitz wrote .. > Well, > > I have finally gotten TinyCA2 up and working! Many things got in the > way; but it is now up and running on my notebook (running Centos 4.3). > > So I cut and pasted the root cert I built and exported in PEM format. > > I also exported a server cert for my notebook (I run Webmin on it when > I need its tools). > > I exported both certs to my home directory, now I want to know if I have > to keep them there, or if I move them to a better locale, do I have to > inform Webmin of the change? > > My hunch is for the CA cert, since I cut and pasted it into CA cert > authority module, I do not have to keep Webmin appraised of its location. > > But the server cert, I suspect I DO have to keep it informed, so WHEN I > move it to a better directory than my home directory, I will have to > update the file location in the SSL module. > > > Now about that file being password protected.... > > When I supplied Webmin with the cert location (I put the cert and > private key in a single file), the update failed with a message that > webmin did not restart. > > So from a terminal window I issued: /etc/webmin/start > > And was asked: > > Enter PEM pass phrase: > > So either I have to live with being asked for the PEM pass phrase > everytime I start Webmin (reasonable for running it occationally on my > notebook), or creat the server cert without a passphrase? > > I can see that needing a passphrase on a server would require that said > passphrase be somewhere on the filesystem (or in a token) anyway, so > just put it in a root controled directory and don't passphrase protect > it? What does Webmin do what it creates its own cert? Webmin always creates non-password-protected cert files, to avoid the problem of the openssl library prompting for the password at startup time. I suppose I could add code to allow a password to be specified in Webmin's config files somewhere (like Apache does), but security-wise this would be no different from not having a passphrase at all! Basically, I recommend creating certs without a passphrase, if you want to use them with a web server than can be started automatically at boot time. - Jamie |
