Permissions for SSL key?

linux ssl ssl-certificate nginx openssl
41,008

Solution 1

Private keys should have reading heavily restricted. Setting permissions to 600 and owned by root should work. However, there are other secure permissions settings - Ubuntu stores keys in a directory with owner root and group ssl-cert and permissions 710. This means that only members of ssl-cert can access any files in that directory. Private keys then have group ssl-cert, owner root, and permissions 640.

Solution 2

I had an issue getting nginx setup and came across this question. The other answer here has already directly answered the question but I thought a little more information would be helpful.

Normally, nginx is started as the root user by init scripts / systemd. However, nginx also has the ability to switch to a less privileged user for normal operations. So my question was which user is used to load the ssl certificate/key? The initial privileged user or the one that is switched to?

Fortunately, nginx uses the initial permissions to read the certificate and key into memory before switching users. So, normally, you really can leave the keys with very restricted permissions as they are loaded by nginx when it's still running as root.

The problem that I was running into that landed me here was that I was defining ssl_certificate only in my server blocks in nginx.conf. I was getting errors like [error] 18606#18606: *311 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking when I knew darn good and well that my keys were in the right place. That issue was that I didn't have a ssl_certificate at the http level of nginx.conf.

Hope this is helpful for someone.

Share:
41,008

Related videos on Youtube

ChocoDeveloper
Author by

ChocoDeveloper

Updated on September 18, 2022

Comments

  • ChocoDeveloper
    ChocoDeveloper over 1 year

    I'm trying to set up a secure connection (https) in nginx.

    But I'm a bit worried about the private key's permissions, which aren't mentioned in any tutorial.

    Should I change them? To what?

  • Mohammad Sleiman
    Mohammad Sleiman over 8 years
    I'll add, for specificity: When using nginx on CentOS 7, it is not necessary to make either the certificate or the private key readable by those in the nginx group. The webserver will be able to use them even if they are readable only by root (as they should be).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
Globe SSL with NGINX SSL certificate issue
Curl SSL error certificate has expired
Meaning of ssl_ciphers line on nginx.conf
How to configure nginx + ssl with an encrypted key in .pem format
Error code: ssl_error_rx_record_too_long
Links SSL Error
How to extract public key and private key from .key file?
Error while creating self-signed SSL certificate
nginx critical error with SSL handshaking