I have to configure a number of webservers to use HTTPS, I wouldn't consider any 'high security', but I want to cover at least basic security best practices.
I'm wondering where I should store the private key the webserver needs to support HTTPS, and how I should handle access of it? From what I read making the private key passwordless and depending on file permissions is standard for a web server that doesn't need high security. However, the most likely compromise angle for any web server is an exploit in the server itself, resulting in anyone who has gotten access to the box already having read access on my key. Is there any easy way to minimize this threat?
I'm also not sure where to keep the key in regardes to centos conventions. It looks like /etc/pki is where I should put my keys, but I'm not sure where within that directory private/public keys are usually stored, I don't understand it's directory layout. I had read about private keys being stored in /etc/pki/private but that directly doesn't exist by default which makes me wonder if convention is to create the directory or store the key elsewhere. More importantly what I read also said that /etc/pki/private should only be readable by root, but my web server won't be running as root so either I need to store the private key somewhere else or open up access to /etc/pki/private to my web server as well.
Best Answer
The master process for your webserver typically runs as root, including for reading SSL private keys, so putting it somewhere only root can read should suffice. If your server's compromised you're going to be re-keying your SSL certs anyways and you've got bigger problems than MITMing.
Location doesn't matter at all (as long as the aforementioned permissions are in place), so put it wherever makes sense to you. Probably not
/tmp, but my personal preference is a folder calledkeysorsslin the webserver's config directory in/etc.