LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-21-2013, 05:46 PM   #1
canopus69
LQ Newbie
 
Registered: Sep 2013
Posts: 28

Rep: Reputation: Disabled
SSL Certificate/Key file permissions


ca.key, ca.csr & ca.crt (self generated) are created in Redhat 6.4 with default permissions 644. Is there any reason these are being created with world readable permissions ?

I would imagine to be secure it should be 600.
 
Old 10-21-2013, 06:34 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,418
Blog Entries: 33

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
The openssl tool set doesn't worry about permissions as it is available for several platforms. It's up to the admin to set up proper permissions. 600 is recommended for the private key but 644 can be the public key permissions.
 
Old 10-21-2013, 06:37 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,268

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
You might be thinking about ssh, which does care about file-permissions (in that, if the permissions on the file are "too permissive," it won't recognize it). I don't think that SSL does that ...

As far as I know, though, none of these files contain "secret" information. They are generated using secret information, in each case held only by one of the two parties, but "they are not secret themselves ... and that is the point." The purpose of the whole thing, as I understand it, is: "I can generate it (you can't) ... you can sign it (I can't) ... I can verify the signature and can't alter what has been signed."

Working together, each party revealing none of its secrets (but employing those secrets), the key exchange can be accomplished, using files that do not have to be kept secret or conveyed across a secure channel. And that's the essential reason for the entire contretemps.

Last edited by sundialsvcs; 10-21-2013 at 06:44 PM.
 
1 members found this post helpful.
Old 10-21-2013, 07:19 PM   #4
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,418
Blog Entries: 33

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
Quote:
Originally Posted by sundialsvcs View Post
You might be thinking about ssh, which does care about file-permissions (in that, if the permissions on the file are "too permissive," it won't recognize it). I don't think that SSL does that ...

As far as I know, though, none of these files contain "secret" information. They are generated using secret information, in each case held only by one of the two parties, but "they are not secret themselves ... and that is the point." The purpose of the whole thing, as I understand it, is: "I can generate it (you can't) ... you can sign it (I can't) ... I can verify the signature and can't alter what has been signed."

Working together, each party revealing none of its secrets (but employing those secrets), the key exchange can be accomplished, using files that do not have to be kept secret or conveyed across a secure channel. And that's the essential reason for the entire contretemps.
"ca.key, ca.csr & ca.crt" is not part openssh but appear to be of SSL public key infrastructure. The files in OpenSSH which you're referring about permissions is mentioned in the openssh FAQ (namely authorized_keys, .ssh, and user $HOME). The names the OP refers to appear to be x509 certificates. While OpenSSL (and SSL in general) does not require any special permissions to operate correctly it is *recommended* that any keys (*.key) be 600 permissions (not required). Public certificates(*.crt) and certificate signing requests (*.csr) do not matter so much about the permissions because they're intended to be publicly distributed.

Last edited by sag47; 10-21-2013 at 07:24 PM.
 
1 members found this post helpful.
Old 10-22-2013, 06:13 PM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,268

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
Quote:
Originally Posted by sag47 View Post
"ca.key, ca.csr & ca.crt" is not part openssh but appear to be of SSL public key infrastructure. The files in OpenSSH which you're referring about permissions is mentioned in the openssh FAQ (namely authorized_keys, .ssh, and user $HOME). The names the OP refers to appear to be x509 certificates. While OpenSSL (and SSL in general) does not require any special permissions to operate correctly it is *recommended* that any keys (*.key) be 600 permissions (not required). Public certificates(*.crt) and certificate signing requests (*.csr) do not matter so much about the permissions because they're intended to be publicly distributed.
Yes. Exactly my point. It's easy to confuse the two. Very easy.
 
Old 10-22-2013, 07:05 PM   #6
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,418
Blog Entries: 33

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
Quote:
Originally Posted by sundialsvcs View Post
Yes. Exactly my point. It's easy to confuse the two. Very easy.
Ah, I get what you mean now. I thought you had confused it haha. Confusion all around!
 
Old 10-22-2013, 07:41 PM   #7
canopus69
LQ Newbie
 
Registered: Sep 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sag47 View Post
Ah, I get what you mean now. I thought you had confused it haha. Confusion all around!
Thanks to both of you for your replies.
 
Old 10-23-2013, 04:01 AM   #8
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 481

Rep: Reputation: 85
I know you solved it. But just an interesting thing if you want to properly sign certificates and use https

http://codeghar.wordpress.com/?s=sig...&submit=Search

You setup your own ca and sign keys using only openssl. I kow there are different solutions which are better, but just for a handful of internal certs i quite like that setup.
 
Old 10-23-2013, 05:32 PM   #9
canopus69
LQ Newbie
 
Registered: Sep 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ericson007 View Post
I know you solved it. But just an interesting thing if you want to properly sign certificates and use https

http://codeghar.wordpress.com/?s=sig...&submit=Search

You setup your own ca and sign keys using only openssl. I kow there are different solutions which are better, but just for a handful of internal certs i quite like that setup.
Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SvSSL handshake failed: SSL error:Key usageviolation in certificate has been detected sanjay87 Linux - Server 2 03-22-2012 03:38 AM
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? GrapefruiTgirl Linux - Software 9 04-05-2011 09:54 AM
Apache with SSL does not load the 2nd SSL certificate janstapel Linux - Newbie 1 06-17-2010 09:32 PM
SSL certificate existing pem file aot2002 Linux - Server 0 10-11-2007 11:48 PM
ssl using server and client certificate. Which key used for encryption? lievendp Linux - Security 2 12-07-2006 06:22 AM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration