Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I want to generate a Certificate Signing Request for my server and in order to d

ID: 658717 • Letter: I

Question

I want to generate a Certificate Signing Request for my server and in order to do so, I first need a secure private key. When I create a private key by using openssl genrsa -des3 -out server.key 2048, I'm asked to provide a passphrase. After doing some research, I found out that not having passphrase is a high security risk because once my private key gets compromised, the hacker will be able to decrypt everything that was encrypted using my key.

My question is: how is my server supposed to work with a private key that needs a passphrase. Since it is headless, there is no way I can enter the key when my server boots. How is Apache going to handle that?

Explanation / Answer

To give a slightly different perspective on this. Asking the question as to whether something is a big security risk a little tricky. First off, lets ask this question, is the information stored on the website confidential? Is there more of a security risk if the site is offline? If you have confidential information on the website or travelling through the web site then it would be a high risk not to encrypt your private key. However if you do not have confidential information and it is more important that the site is up all the time then it may be more of a security risk to sign the private key, as the previous poster mentioned this will mean you have to enter the password on Apache load.

There are 3 areas of security, in general, Confidentiality, Integrity and Access, you would sign the cert if C&I are a concern and not if A is a concern.

Of course you can always have your cake and eat it to by having a Webserver farm, or even just vm instances, then load balance them with a health check on 443, this way traffic is redirected to Apache servers running while someone attends to entering the password for the private key, this just takes money, the more you have the more you can do.

Related Questions

I want to create a menu that deletes certain plants or an id number from the arr
Question #3712503
I want to create a program that draws a diamond or a triangle with a size that t
Question #3621647
I want to create a program that that will only accept one decimal point in a str
Question #3915542
I want to create a project in C++ that can work in Windows, Linux and Embedded L
Question #653093
I want to create a service where people can upload files. However, since file st
Question #650544
I want to create a simple version of the game Tic-Tac-Toe.In my edition there wi
Question #3624665
I want to create a storybook and give it to other users who then should be able
Question #658700
I want to create a stream of water that emits only a droplet of water, waits a f
Question #2281970
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I want to generate UML class diagrams from my actual Java code. I used Visual Pa
Next
I want to generate a key pair such that the private key can be used once to sign

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.