Menu
▾
▴
Re: [webmin-l] Webmin certificate(s) location and TinyCA2
|
From: Robert M. <rg...@ht...> - 2006-07-31 10:40:45
|
Jamie Cameron wrote: > On 30/Jul/2006 18:53 Robert Moskowitz wrote .. > >> Jamie Cameron wrote: >> >>> On 27/Jul/2006 21:01 Robert Moskowitz wrote .. >>> >>> >>>> Well, >>>> >>>> I have finally gotten TinyCA2 up and working! Many things got in the >>>> way; but it is now up and running on my notebook (running Centos 4.3). >>>> >>>> >>>> But the server cert, I suspect I DO have to keep it informed, so WHEN >>>> >> I >> >>>> move it to a better directory than my home directory, I will have to >>>> update the file location in the SSL module. >>>> >>>> >>>> Now about that file being password protected.... >>>> >>>> When I supplied Webmin with the cert location (I put the cert and >>>> private key in a single file), the update failed with a message that >>>> webmin did not restart. >>>> >>>> So from a terminal window I issued: /etc/webmin/start >>>> >>>> And was asked: >>>> >>>> Enter PEM pass phrase: >>>> >>>> So either I have to live with being asked for the PEM pass phrase >>>> everytime I start Webmin (reasonable for running it occationally on >>>> >> my >> >>>> notebook), or creat the server cert without a passphrase? >>>> >>>> I can see that needing a passphrase on a server would require that said >>>> passphrase be somewhere on the filesystem (or in a token) anyway, so >>>> just put it in a root controled directory and don't passphrase protect >>>> it? What does Webmin do what it creates its own cert? >>>> >>>> >>> Webmin always creates non-password-protected cert files, to avoid the >>> >> problem >> >>> of the openssl library prompting for the password at startup time. I >>> >> suppose >> >>> I could add code to allow a password to be specified in Webmin's config >>> >> files >> >>> somewhere (like Apache does), but security-wise this would be no different >>> from not having a passphrase at all! >>> >>> Basically, I recommend creating certs without a passphrase, if you want >>> >> to >> >>> use them with a web server than can be started automatically at boot >>> >> time. >> I cannot see how to get TinyCA to create a server cert without a >> password. When I leave the password field blank, I get a error about no >> password.... >> >> So until I can get the author to accommodate non-passworded server >> certs, I worked out the following: >> >> echo password > /etc/webmin/start >> >> I can put that into the webmin start script. >> > > I guess you really mean echo password | /etc/webmin/start right? > I looked in the SSL Perl library for a way of automating this so that > the passphrase can be in the Webmin configuration, but there doesn't > seem to be any :-( > Interestingly, | does not work, but > does..... Empirical testing wins out over theory. |
