Changes between Version 8 and Version 9 of SystemAdministration/Security/TLS

Timestamp:

12/02/15 12:13:58 (8 years ago)

Author:

Sander Maijers

Comment:

ENHANCE: writing.

SystemAdministration/Security/TLS

@@ -25 +25 @@
 For practical reasons, our services use a passphrase-less (unencrypted) private key.
 Before private key files are generated (on a secure admin workstation): 
-1. a root shell must be started, preferable a limited, secure shell such as `dash`,
-2. unnecessary processes must be closed (e.g. graphical environment, browser),
-3. the `umask` must be set so that no file created is every readable by someone other than the superuser, 
-4. file permissions must be double checked.
+1. A root shell must be used for it (preferably a limited, secure shell such as `dash`).
+2. Unnecessary processes must be closed (e.g. graphical environment, browser).
+3. The `umask` must be set so that no file created is every readable by someone other than the superuser. 
+4. File permissions must be double checked after completing the work.
 
 The private key should not be stored outside server hosts that critically need it, except for a minimal number of backups on secure admin workstations, always in encrypted form.