Forum
Password protected SSL certificate
Tiesong Wang
17 February 2009, 11:18
I need to use a password protected server key file. Where to set the password in config file? Or it is not supported to use password protected server key?
Thanks in advance!
Thanks in advance!
Hugo Leisink
17 February 2009, 11:31
Password protected certificate/key files are not supported by Hiawatha. You have to remove the password protection first.
Tiesong Wang
17 February 2009, 11:34
Thanks a lot!
xiaobao
17 February 2009, 11:39
how to remove the passwor protection????????? can use openssl???
Hugo Leisink
17 February 2009, 12:22
You can use openssl to remove the password.
openssl rsa -in <input file>.pem -out <output file>.pem
xiaobao
18 February 2009, 05:48
thank you for the guide. And as your said i do the test, it work fine. But the outfile is only a private key file. could not include the certificate and private key.
Hugo Leisink
18 February 2009, 10:15
The original file probably looks like this:
If you use the openssl command as specified above, you will get an output that looks like this:
What you have to do is edit the original file and replace the 'RSA PRIVATE KEY' section with the output of the openssl command. You will get a file that looks like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-etc etc etc
<encrypted private key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
If you use the openssl command as specified above, you will get an output that looks like this:
-----BEGIN RSA PRIVATE KEY-----
<unencrypted private key>
-----END RSA PRIVATE KEY-----
What you have to do is edit the original file and replace the 'RSA PRIVATE KEY' section with the output of the openssl command. You will get a file that looks like this:
-----BEGIN RSA PRIVATE KEY-----
<unencrypted private key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
xiaobao
19 February 2009, 04:24
have done. thank u for guidance!! and it woke fine. but why we support "the private key with password protected."?? i do not clear that , does httpd support this?
Hugo Leisink
19 February 2009, 10:26
I don't understand your question. Can you re-phrase it?
xiaobao
23 February 2009, 06:47
why we do not support the certificate with the password protected?? does httpd service in linux support it??
Hugo Leisink
23 February 2009, 14:26
Linux doesn't have a httpd service, so it's not a Linux thing. The reason why I haven't build in support for password-protected certificate files in Hiawatha is because it doesn't make things more secure. If Hiawatha did support it, the password must have been entered in the configuration file in order for Hiawatha to be able to read the certificate file. So, you have to 1) restrict read access to the unprotected certificate file or 2) restrict read access to the configuration file which contains the password for the password-protected certificate file. The security of the certificate file therefor depends on the read access of 1 single file. I deciced to keep things simple. No password on the certifcate file and restrict read access on the certificate file itself. Clear and simple.
xiaobao
25 February 2009, 03:52
got it, thanks for all your help!!
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
