60

I have my cert.pem and cert.key files in /etc/apache2/ssl folders.

What would be the most secure permissions and ownership of:

  1. /etc/apache2/ssl directory

  2. /etc/apache2/ssl/cert.pem file

  3. /etc/apache2/ssl/cert.key file

(Ensuring https:// access works of course :).

Thanks,

JP

Will
  • 1,127
  • 10
  • 25

2 Answers2

82

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root.

Mike Scott
  • 7,903
  • 29
  • 26
  • 5
    Thanks. This works. One thing - I guess the files only need to be read by root that starts the apache daemon. Why do we need to give "write" permissions to the file? –  Dec 27 '10 at 18:11
  • 24
    The files will need updating periodically, as your certificates expire and need to be renewed, and since there's no real security risk in making them writeable it makes life slightly simpler. They don't need to be readable for day-to-day use, so you can use 400 permissions (and 500 on the directory) if you don't mind having to fiddle with them at renewal time. – Mike Scott Dec 27 '10 at 18:13
  • 5
    It should be noted, that the official Apache Docs do not agree with Mike's original suggestions about SSL and go with his second suggestion here in the comments. –  Oct 29 '13 at 23:02
  • 6
    What should the owner be? – John Bachir Feb 28 '15 at 23:04
  • where did you find the "official Apache Docs" about ssl – user9 Sep 21 '16 at 11:19
  • 1
    Its mentioned one time here in the SSL faq. https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#removepassphrase – txyoji May 22 '18 at 20:21
0

The most important is to make sure the *.key files are only readable by root (SSL/TLS Strong Encryption: FAQ).

My experience is that it could be realized also to other files of the certificates (like *.crt for example).

So we should set the root as the only one owner of the directory and its files:

$ chown -R root:root /etc/apache2/ssl

And we can set the most restrictive permissions for this localization:

$ chmod -R 000 /etc/apache2/ssl

In some particular case, the localization can be different of course.

simhumileco
  • 155
  • 1
  • 8