The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL CSR emails sensitive information

Discussion in 'E-mail Discussions' started by cpanelquestions, Aug 20, 2008.

  1. cpanelquestions

    cpanelquestions Registered

    Joined:
    May 30, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Why does the CSR process insist on emailing the requests??? email is not secure and doing this automatically compromises the certificate by emailing the private key and its password!

    Is there a way to turn OFF this behavior? This information should be stored in a file on the server that can only be accessed with root login to WHM, NOT emailed across the universe!
     
  2. prashantp786

    prashantp786 Registered

    Joined:
    Jul 26, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    same query here

    Hello,

    I have same confusion with this.

    Is any alternative to put the csr information on the server and will be get through ssh.

    thanks

    Regards,
    PrashantP786
     
  3. stokkeland

    stokkeland Registered

    Joined:
    Nov 15, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cpanel developers probably doesnt care about security - they just follow the trend of making it easy to get a certificate so that people who doesnt understand what ssl is thinks the whole website/server/data/application is secure because it shows https:// and has a nice security seal... ok that was probably slightly sarcastic :)

    security-wise I dont think the pkey should be generated at the server at all, and definetely not in non-ssh mode whm login - it should be on an isolated system on a network that does not have any systems doing fun stuff (no browsing, no IM, no irc, no email, etc) - wether its wintendo, mac or linux you can just download and install openssl and create your own pkey and csr locally.
    (I think a pkey should be treated nearly as safely as a gpgp/pgp key, see www.gnupg.org for how they recommend keeping it on removable media and only use it on a completely offline machine).

    Generate Private Key
    $ openssl genrsa -des3 -out keyfile 1024

    Generate CSR, (Common name is domain name, skip all optionals)
    $ openssl req -new -key keyfile -out csrfile

    Remove encryption from a key (needed to get a clear copy to past in the install dialog in whm, make sure you are using whm in ssl mode before doing so)
    $ openssl rsa -in keyfile

    Generate self signed cert - if that is all you want for testing
    $ openssl x509 -req -days 360 -in csrtfile -signkey keyfile -out certfile
     
  4. prashantp786

    prashantp786 Registered

    Joined:
    Jul 26, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    csr key generate

    Hello,

    Thanks, It's too good.

    Regards,
    PRash
     
Loading...

Share This Page