Menu
▾
▴
Re: [webmin-l] Webmin certificate(s) location and TinyCA2
|
From: Robert M. <rg...@ht...> - 2006-07-31 01:53:58
|
Jamie Cameron wrote: > On 27/Jul/2006 21:01 Robert Moskowitz wrote .. > >> Well, >> >> I have finally gotten TinyCA2 up and working! Many things got in the >> way; but it is now up and running on my notebook (running Centos 4.3). >> >> >> But the server cert, I suspect I DO have to keep it informed, so WHEN I >> move it to a better directory than my home directory, I will have to >> update the file location in the SSL module. >> >> >> Now about that file being password protected.... >> >> When I supplied Webmin with the cert location (I put the cert and >> private key in a single file), the update failed with a message that >> webmin did not restart. >> >> So from a terminal window I issued: /etc/webmin/start >> >> And was asked: >> >> Enter PEM pass phrase: >> >> So either I have to live with being asked for the PEM pass phrase >> everytime I start Webmin (reasonable for running it occationally on my >> notebook), or creat the server cert without a passphrase? >> >> I can see that needing a passphrase on a server would require that said >> passphrase be somewhere on the filesystem (or in a token) anyway, so >> just put it in a root controled directory and don't passphrase protect >> it? What does Webmin do what it creates its own cert? >> > > Webmin always creates non-password-protected cert files, to avoid the problem > of the openssl library prompting for the password at startup time. I suppose > I could add code to allow a password to be specified in Webmin's config files > somewhere (like Apache does), but security-wise this would be no different > from not having a passphrase at all! > > Basically, I recommend creating certs without a passphrase, if you want to > use them with a web server than can be started automatically at boot time. I cannot see how to get TinyCA to create a server cert without a password. When I leave the password field blank, I get a error about no password.... So until I can get the author to accommodate non-passworded server certs, I worked out the following: echo password > /etc/webmin/start I can put that into the webmin start script. |
