The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Generate a SSL Certificate and Signing Request

Discussion in 'General Discussion' started by surfalot, Oct 17, 2005.

  1. surfalot

    surfalot Member

    Joined:
    Nov 2, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Could someone explain to me how secure it is to have both the private and public keys and the challenge password be REQUIRED to be sent over clear text email when it is generated in cPanel? Of course not to mention the same being sent to the server admin email. I was under the impression that the private key was suppose to be kept private and secured. Isn't this a serious security problem or am I completely clueless about how the public and private key system works?

    They are both displayed afterwards for easy copying and storing securely, what is the point requiring the security keys and information be sent around in clear text?
     
  2. surfalot

    surfalot Member

    Joined:
    Nov 2, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    So, nobody else seems to think this is a probem?

    I'm truly surprised the security gurus here didn't jump on this. If by generating a cert for a site in cPanel REQUIRES that the private key (used for decrypting the server's communication) be broadcast in clear text email. How then is any cPanel site secure? :eek:

    I even tried to put in a fake email, but then the system just sends it out to the server's system account as an error. Same affect. If I put in no email address, then cPanel tells me I have to enter one.

    Sounds to me like someone didn't think this over very well.
     
  3. surfalot

    surfalot Member

    Joined:
    Nov 2, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Well, I guess I'm going to give it one more shot since I simply CAN'T be the only one that thinks forcing us to send the private SSL key over an email is really bad practice. At least this article agrees with me... http://www.electrictoolbox.com/putty-rsa-dsa-keys/

    Is there anyone that can point out where I'm wrong in this?

    Is this maybe just a long running joke that cPanel forces the private key generated to be sent via email?
     
Loading...

Share This Page