WebApp Sec mailing list archives
Re: SSL
From: Brian Hatch <bri () ifokr org>
Date: Sat, 31 Jan 2004 01:24:05 -0800
Do you know a way to restrict admins of the web server (ISS) from backing up server certificate (and private key)? I am trying to ensure that only security admins of my company can back up the certificate, not the web admins. this can be via an authentication definition or via a password protection.
You could always just keep the private key protected with a strong passphrase. Then even if they can access it, the file is encrypted and they can't get in. If the passphrase is strong enough, then an offline attack should be futile. This does mean you'd not be able to reboot unattended though. -- Brian Hatch "I am become Grey. I stand between Systems and the darkness and the light. Security Engineer Between the candle and the star." http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: SSL VolkanPekince (Jan 30)
- Re: SSL Brian Hatch (Feb 02)