Otdfbt

What is the command to reset a PC without deleting any files

Eliminate empty elements from a list with a specific pattern

Is this food a bread or a loaf?

How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)

Can the Produce Flame cantrip be used to grapple, or as an unarmed strike, in the right circumstances?

Can a planet have a different gravitational pull depending on its location in orbit around its sun?

Extreme, but not acceptable situation and I can't start the work tomorrow morning

How would photo IDs work for shapeshifters?

If a centaur druid Wild Shapes into a Giant Elk, do their Charge features stack?

Need help identifying/translating a plaque in Tangier, Morocco

Calculate Levenshtein distance between two strings in Python

Why doesn't a const reference extend the life of a temporary object passed via a function?

Domain expired, GoDaddy holds it and is asking more money

Pristine Bit Checking

Does a dangling wire really electrocute me if I'm standing in water?

What to wear for invited talk in Canada

When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

What are the advantages and disadvantages of running one shots compared to campaigns?

How to move the player while also allowing forces to affect it

How to create a consistent feel for character names in a fantasy setting?

Are white and non-white police officers equally likely to kill black suspects?

Crop image to path created in TikZ?

"listening to me about as much as you're listening to this pole here"

What Should be the Permissions of Apache SSL Directory, Certificate, and Key?

What permissions should I give to CA Bundle file?Apache service server demon priviiges (with respect to web directory structure, permissions and security)File permissions and ownership to isolate users on apacheWhat is the standard ownership/permissions setup for Apache userdirs?How do you search for backdoors from the previous IT person?How do I deal with a compromised server?Apache directory permissions problemOur security auditor is an idiot. How do I give him the information he wants?SSL certificate key permission - Tomcat APRWhat permissions should my website files/folders have on a Linux webserver?Ssl certificate file permissions

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

49

23

I have my cert.pem and cert.key files in /etc/apache2/ssl folders.

What would be the most secure permissions and ownership of:

1. /etc/apache2/ssl directory




2. /etc/apache2/ssl/cert.pem file




3. /etc/apache2/ssl/cert.key file

(Ensuring https:// access works of course :).

Thanks,

JP

apache-2.2 security permissions ssl file-permissions

share|improve this question

edited Aug 12 '15 at 13:17

Will

974923

asked Dec 27 '10 at 17:53

JP19

add a comment | 

49

23

I have my cert.pem and cert.key files in /etc/apache2/ssl folders.

What would be the most secure permissions and ownership of:

1. /etc/apache2/ssl directory




2. /etc/apache2/ssl/cert.pem file




3. /etc/apache2/ssl/cert.key file

(Ensuring https:// access works of course :).

Thanks,

JP

apache-2.2 security permissions ssl file-permissions

share|improve this question

edited Aug 12 '15 at 13:17

Will

974923

asked Dec 27 '10 at 17:53

JP19

add a comment | 

I have my cert.pem and cert.key files in /etc/apache2/ssl folders.

What would be the most secure permissions and ownership of:

1. /etc/apache2/ssl directory




2. /etc/apache2/ssl/cert.pem file




3. /etc/apache2/ssl/cert.key file

(Ensuring https:// access works of course :).

Thanks,

JP

apache-2.2 security permissions ssl file-permissions

share|improve this question

edited Aug 12 '15 at 13:17

Will

974923

asked Dec 27 '10 at 17:53

JP19

share|improve this question

edited Aug 12 '15 at 13:17

Will

974923

asked Dec 27 '10 at 17:53

JP19

share|improve this question

edited Aug 12 '15 at 13:17

Will

974923

asked Dec 27 '10 at 17:53

JP19

edited Aug 12 '15 at 13:17

Will

974923

edited Aug 12 '15 at 13:17

Will

974923

2 Answers
2

active

oldest

votes

67

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.

share|improve this answer

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
  
  – JP19
  Dec 27 '10 at 18:11
  

  
  
  
  


• 
  
  
  

  
  23
  

  
  
  
  
  
  

  
  
  The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
  
  – Mike Scott
  Dec 27 '10 at 18:13
  
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
  
  – nottinhill
  Oct 29 '13 at 23:02
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  What should the owner be?
  
  – John Bachir
  Feb 28 '15 at 23:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  where did you find the "official Apache Docs" about ssl
  
  – user9
  Sep 21 '16 at 11:19
  

  
  
  
  

 | 
show 1 more comment

0

The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).

My experience is that it could be realized also to other files of the certificates (like *.crt for example).

So we should set the root as the only one owner of the directory and its files:

$ chown -R root:root /etc/apache2/ssl

And we can set the most restrictive permissions for this localization:

$ chmod -R 000 /etc/apache2/ssl

In some particular case, the localization can be different of course.

share|improve this answer

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f216477%2fwhat-should-be-the-permissions-of-apache-ssl-directory-certificate-and-key%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

67

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.

share|improve this answer

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
  
  – JP19
  Dec 27 '10 at 18:11
  

  
  
  
  


• 
  
  
  

  
  23
  

  
  
  
  
  
  

  
  
  The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
  
  – Mike Scott
  Dec 27 '10 at 18:13
  
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
  
  – nottinhill
  Oct 29 '13 at 23:02
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  What should the owner be?
  
  – John Bachir
  Feb 28 '15 at 23:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  where did you find the "official Apache Docs" about ssl
  
  – user9
  Sep 21 '16 at 11:19
  

  
  
  
  

 | 
show 1 more comment

67

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.

share|improve this answer

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file?
  
  – JP19
  Dec 27 '10 at 18:11
  

  
  
  
  


• 
  
  
  

  
  23
  

  
  
  
  
  
  

  
  
  The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time.
  
  – Mike Scott
  Dec 27 '10 at 18:13
  
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments.
  
  – nottinhill
  Oct 29 '13 at 23:02
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  What should the owner be?
  
  – John Bachir
  Feb 28 '15 at 23:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  where did you find the "official Apache Docs" about ssl
  
  – user9
  Sep 21 '16 at 11:19
  

  
  
  
  

 | 
show 1 more comment

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.

share|improve this answer

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

share|improve this answer

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

answered Dec 27 '10 at 17:59

Mike ScottMike Scott

7,1082425

0

The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).

My experience is that it could be realized also to other files of the certificates (like *.crt for example).

So we should set the root as the only one owner of the directory and its files:

$ chown -R root:root /etc/apache2/ssl

And we can set the most restrictive permissions for this localization:

$ chmod -R 000 /etc/apache2/ssl

In some particular case, the localization can be different of course.

share|improve this answer

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

add a comment | 

0

The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).

My experience is that it could be realized also to other files of the certificates (like *.crt for example).

So we should set the root as the only one owner of the directory and its files:

$ chown -R root:root /etc/apache2/ssl

And we can set the most restrictive permissions for this localization:

$ chmod -R 000 /etc/apache2/ssl

In some particular case, the localization can be different of course.

share|improve this answer

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

add a comment | 

The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).

My experience is that it could be realized also to other files of the certificates (like *.crt for example).

So we should set the root as the only one owner of the directory and its files:

$ chown -R root:root /etc/apache2/ssl

And we can set the most restrictive permissions for this localization:

$ chmod -R 000 /etc/apache2/ssl

In some particular case, the localization can be different of course.

share|improve this answer

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

$ chown -R root:root /etc/apache2/ssl

$ chmod -R 000 /etc/apache2/ssl

share|improve this answer

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

answered Apr 4 at 23:03

simhumilecosimhumileco

1238

answered Apr 4 at 23:03

simhumilecosimhumileco

1238