What Should be the Permissions of Apache SSL Directory, Certificate, and Key?What permissions should I give...
Took a trip to a parallel universe, need help deciphering
What is going on with Captain Marvel's blood colour?
What reasons are there for a Capitalist to oppose a 100% inheritance tax?
Is "remove commented out code" correct English?
Is it canonical bit space?
Can one be a co-translator of a book, if he does not know the language that the book is translated into?
Forgetting the musical notes while performing in concert
Has there ever been an airliner design involving reducing generator load by installing solar panels?
Can I ask the recruiters in my resume to put the reason why I am rejected?
Withdrawals from HSA
Neighboring nodes in the network
Why is Collection not simply treated as Collection<?>
What mechanic is there to disable a threat instead of killing it?
Emailing HOD to enhance faculty application
Where does SFDX store details about scratch orgs?
How to take photos in burst mode, without vibration?
intersection of two sorted vectors in C++
Facing a paradox: Earnshaw's theorem in one dimension
AES: Why is it a good practice to use only the first 16bytes of a hash for encryption?
How can I make my BBEG immortal short of making them a Lich or Vampire?
Is it legal for company to use my work email to pretend I still work there?
In a Spin are Both Wings Stalled?
What exploit are these user agents trying to use?
Why do I get two different answers for this counting problem?
What Should be the Permissions of Apache SSL Directory, Certificate, and Key?
What permissions should I give to CA Bundle file?Apache service server demon priviiges (with respect to web directory structure, permissions and security)File permissions and ownership to isolate users on apacheWhat is the standard ownership/permissions setup for Apache userdirs?How do you search for backdoors from the previous IT person?How do I deal with a compromised server?Apache directory permissions problemOur security auditor is an idiot. How do I give him the information he wants?SSL certificate key permission - Tomcat APRWhat permissions should my website files/folders have on a Linux webserver?Ssl certificate file permissions
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have my cert.pem and cert.key files in /etc/apache2/ssl folders.
What would be the most secure permissions and ownership of:
/etc/apache2/ssldirectory/etc/apache2/ssl/cert.pemfile/etc/apache2/ssl/cert.keyfile
(Ensuring https:// access works of course :).
Thanks,
JP
apache-2.2 security permissions ssl file-permissions
edited Aug 12 '15 at 13:17
Will
974923
add a comment |
I have my cert.pem and cert.key files in /etc/apache2/ssl folders.
What would be the most secure permissions and ownership of:
/etc/apache2/ssldirectory/etc/apache2/ssl/cert.pemfile/etc/apache2/ssl/cert.keyfile
(Ensuring https:// access works of course :).
Thanks,
JP
apache-2.2 security permissions ssl file-permissions
edited Aug 12 '15 at 13:17
Will
974923
add a comment |
I have my cert.pem and cert.key files in /etc/apache2/ssl folders.
What would be the most secure permissions and ownership of:
/etc/apache2/ssldirectory/etc/apache2/ssl/cert.pemfile/etc/apache2/ssl/cert.keyfile
(Ensuring https:// access works of course :).
Thanks,
JP
apache-2.2 security permissions ssl file-permissions
edited Aug 12 '15 at 13:17
Will
974923
I have my cert.pem and cert.key files in /etc/apache2/ssl folders.
What would be the most secure permissions and ownership of:
/etc/apache2/ssldirectory/etc/apache2/ssl/cert.pemfile/etc/apache2/ssl/cert.keyfile
(Ensuring https:// access works of course :).
Thanks,
JP
apache-2.2 security permissions ssl file-permissions
apache-2.2 security permissions ssl file-permissions
edited Aug 12 '15 at 13:17
Will
974923
edited Aug 12 '15 at 13:17
Will
974923
edited Aug 12 '15 at 13:17
Will
974923
edited Aug 12 '15 at 13:17
Will
974923
edited Aug 12 '15 at 13:17
Will
974923
974923
asked Dec 27 '10 at 17:53
JP19
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
|
show 1 more comment
The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).
My experience is that it could be realized also to other files of the certificates (like *.crt for example).
So we should set the root as the only one owner of the directory and its files:
$ chown -R root:root /etc/apache2/ssl
And we can set the most restrictive permissions for this localization:
$ chmod -R 000 /etc/apache2/ssl
In some particular case, the localization can be different of course.
answered 2 mins ago
simhumilecosimhumileco
1217
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f216477%2fwhat-should-be-the-permissions-of-apache-ssl-directory-certificate-and-key%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
|
show 1 more comment
The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
|
show 1 more comment
The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
answered Dec 27 '10 at 17:59
Mike ScottMike Scott
7,1082425
7,1082425
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
|
show 1 more comment
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
5
5
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
– JP19
Dec 27 '10 at 18:11
23
23
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
– Mike Scott
Dec 27 '10 at 18:13
5
5
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
– nottinhill
Oct 29 '13 at 23:02
5
5
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
What should the owner be?
– John Bachir
Feb 28 '15 at 23:04
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
where did you find the "official Apache Docs" about ssl
– user9
Sep 21 '16 at 11:19
|
show 1 more comment
The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).
My experience is that it could be realized also to other files of the certificates (like *.crt for example).
So we should set the root as the only one owner of the directory and its files:
$ chown -R root:root /etc/apache2/ssl
And we can set the most restrictive permissions for this localization:
$ chmod -R 000 /etc/apache2/ssl
In some particular case, the localization can be different of course.
answered 2 mins ago
simhumilecosimhumileco
1217
add a comment |
The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).
My experience is that it could be realized also to other files of the certificates (like *.crt for example).
So we should set the root as the only one owner of the directory and its files:
$ chown -R root:root /etc/apache2/ssl
And we can set the most restrictive permissions for this localization:
$ chmod -R 000 /etc/apache2/ssl
In some particular case, the localization can be different of course.
answered 2 mins ago
simhumilecosimhumileco
1217
add a comment |
The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).
My experience is that it could be realized also to other files of the certificates (like *.crt for example).
So we should set the root as the only one owner of the directory and its files:
$ chown -R root:root /etc/apache2/ssl
And we can set the most restrictive permissions for this localization:
$ chmod -R 000 /etc/apache2/ssl
In some particular case, the localization can be different of course.
answered 2 mins ago
simhumilecosimhumileco
1217
The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).
My experience is that it could be realized also to other files of the certificates (like *.crt for example).
So we should set the root as the only one owner of the directory and its files:
$ chown -R root:root /etc/apache2/ssl
And we can set the most restrictive permissions for this localization:
$ chmod -R 000 /etc/apache2/ssl
In some particular case, the localization can be different of course.
answered 2 mins ago
simhumilecosimhumileco
1217
answered 2 mins ago
simhumilecosimhumileco
1217
answered 2 mins ago
simhumilecosimhumileco
1217
answered 2 mins ago
simhumilecosimhumileco
1217
1217
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f216477%2fwhat-should-be-the-permissions-of-apache-ssl-directory-certificate-and-key%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
