[openssl-users] scripting creating a cert

Robert Moskowitz rgm at htt-consult.com
Fri Mar 10 02:08:30 UTC 2017

On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:
>> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>    $ umask 077 # avoid world-readable private keys
>> Perhaps (no perhaps about it) this is old information, but I picked up that I needed:
>> chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
> I strive to avoid the private disclosure race of first creating
> a world-readable file, and then trying to do a quick chmod before
> the bad guys get around to opening it.  That's why I recommend the
> umask approach.
> You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
> if I recall correctly "keyout" files and the like are automatically
> opened mode "0600". Rich Salz, who wrote the CLI option processing
> code for 1.1.0 will correct me, if my memory if faulty.  There are
> still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
> always figure out which files end up having private keys in them,
> so the umask approach is a good precaution to keep using.

And Rich and I sit down and talk about things all the time at IETF. This 
time we will have some other items to discuss.

And since this will go into a world-readable (eventually) howto, this is 
good advice that I will work on incorporating.


More information about the openssl-users mailing list