[openssl-users] scripting creating a cert

Viktor Dukhovni openssl-users at dukhovni.org
Fri Mar 10 01:53:33 UTC 2017

> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>   $ umask 077 # avoid world-readable private keys
> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)

I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.


More information about the openssl-users mailing list