Differences
This shows you the differences between two versions of the page.
|
litespeed_wiki:config:ssl-private-key [2015/07/30 17:43] Michael Alegre created |
litespeed_wiki:config:ssl-private-key [2020/06/22 20:57] (current) Joshua Reynolds Removed unsupported example & fixed link |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| openssl genrsa -out server.key 2048 | openssl genrsa -out server.key 2048 | ||
| - | |||
| - | You can create a Triple-DES encrypted private key file by using | ||
| - | |||
| - | openssl genrsa -des3 -out server.skey 2048 | ||
| - | |||
| - | You need to give a password (pass-phase) for the private key file. You will be prompt for the password when the private key file is used every time. | ||
| LiteSpeed web server only support private key files without encryption. You probably think it is not safe for the private key. Well, in theory, it is not as safe as the encrypted version. But in reality, it is impossible to let user input password for the SSL keys whenever the server starts or restarts. Some web server can save the password somehow and automate the pass-phase when the server starts, but it is only as good as the machine is not compromised, unless your password is hardware protected. The private key file along with the certificate file should be placed in a directory that is only readable by whom the server running as. If you generated the encrypted key file, the pass-phase can be removed with the following command: | LiteSpeed web server only support private key files without encryption. You probably think it is not safe for the private key. Well, in theory, it is not as safe as the encrypted version. But in reality, it is impossible to let user input password for the SSL keys whenever the server starts or restarts. Some web server can save the password somehow and automate the pass-phase when the server starts, but it is only as good as the machine is not compromised, unless your password is hardware protected. The private key file along with the certificate file should be placed in a directory that is only readable by whom the server running as. If you generated the encrypted key file, the pass-phase can be removed with the following command: | ||
| Line 18: | Line 12: | ||
| openssl rsa -in server.skey -out server.key | openssl rsa -in server.skey -out server.key | ||
| - | 1024 in above commands is the length of the private key in bits. The bigger private key is more secure. You can create bigger private key like 2048 bit. However, if you plan to get your certificate from certificate issuer, you may have to use 1024 bit private key as it is the biggest key they can process, check with the issuer first. For more information about creating SSL private key please visit [[http://www.openssl.org/docs/HOWTO/keys.txt|http://www.openssl.org/docs/HOWTO/keys.txt]] | + | 2048 in above commands is the length of the private key in bits. The bigger private key is more secure. For more information about creating SSL private key please visit [[https://wiki.openssl.org/index.php/Command_Line_Utilities#Generating_an_RSA_Private_Key|OpenSSL documentation]]. |