In the previous Apache and SSL tutorial, we created a private key and a self-signed certificate for our secure server. What we did not cover was protecting the server’s key with a passphrase. It’s never a good idea to leave a private key sitting around in unencrypted form, so in this tutorial, we will encrypt it and learn what difficulties this brings about on a Windows system.

openssl genrsa -rand file1 –des3 1024 > server.key

If that’s all that was needed to protect the key, then I could have easily made the change in my previous post. The problem is that when the Apache service starts, it needs to know how to decrypt the private key. It needs to be given the passphrase. So, it can just ask for it, right? Well, no, that doesn’t work when it’s running on Windows.

Fortunately, a workaround is possible with a configuration change. Given the path to an executable file, Apache will run the program and use its output to decrypt the key. When I tried this, the window for my program was not visible even though I could see that it was indeed running. So, you may need to be creative with your little program since you will not be able to type in the passphrase and leaving the passphrase anywhere in plain or unencrypted text defeats the purpose of the whole process. However you decide to solve the problem, have the program deliver the password, and only the password, to Apache through standard output.

Once you have created the application, you can make the change to httpd-ssl.conf which is found in the conf/extra directory. Change the line SSLPassPhraseDialog builtin to SSLPassPhraseDialog “exec:c:/path/to/program” Of course, you will need to replace c:/path/to/program with the actual path to the application you created.

If the Apache service starts without error after you have made the configuration change, then you know that your program was called successfully and that you are using your server’s encrypted private key.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, July 14th, 2009 at 6:21 pm by Mike Markiewicz and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.