For reference, this question is related to the following ones; but they do not provide the answer:
Storing RSA Private Key un-encrypted
SSL password on apache2 restart
I have an Apache 2.2 server running on Windows 2003 Server. My private key files are stored unencrypted in the same folder as the Apache config files (following the Apache guidelines here: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#removepassphrase).
The websites hosted on the server all share the same Apache instance. Apache runs under a dedicated user account, which has read access to the web folders and to the config/private key folders.
In principle, any customer should now be able to write a PHP script for reading these out, right? So it seems that this is not an ideal situation. The Apache guide says that the key files should only be readable by root. I can't do this since Apache would not be able to read them..
Is there a proper way to make these keyfiles readable to Apache without exposing them to any script running in Apache?
No comments:
Post a Comment