edit: nginx v1.7.3 added the ssl_password_file directive, which reads code phrases from a given file that has tried each code phrase in the context of encrypted-private.key
indiv is correct that the argument -nodes means that OpenSSL will create UNencrypted private.key; otherwise, you will be prompted for a passphrase to create encrypted-private.key. see req , pkcs12 , CA.pl
however, I believe that the goal (for programmers) is to:
- HTTP servers (e.g. Apache , Nginx ) cannot read encrypted-private.key without passphrase ->
- Parameter A - every time the HTTP server starts, you must provide a passphrase for encrypted-private.key
- Option B - specify
ssl_password_file file.keys; in the context of http { } or server { } . [ ref ] - Option C - use
-nodes to create private.key without encryption.
useful: block private.key
- {add HTTP server to ssl-cert group}
sudo chown root:ssl-cert private.key - ch ange private.key private user for root user, ssl-cert groupsudo chmod 640 private.key - change access rights of private.key to the owner of R / W, group R- now the HTTP server should be able to run and read UNencrypted private.key
Option A
higher security, but when you restart the server, you must manually enter the passphrase for encrypted-private.key
Option B
medium security and probably a good balance between A / C
Option C
weaker security, but NOT requested for the UNencrypted private.key passphrase
Jake Berger May 18 '14 at 3:38 a.m. 2014-05-18 03:38
source share