What is the purpose of the ssl-cert-snakeoil.key

Right now I installed ubuntu 12.04.3 server which I want to access via ssh. For that reason I created a private key which I moved to

/etc/ssl/private/

I'm just wondering why there already is private key ssl-cert-snakeoil.key in there. Where is this private key used and can I delete it?


The ssl-snakeoil.key is a key created by ssl-cert package post-install scripts. It's created for the snakeoil user and should not be deleted:

grep '#' /var/lib/dpkg/info/ssl-cert.postinst 
#!/bin/sh -e
# Create the ssl-cert system group for snakeoil ownership:
# Check if the generated snakeoil key/cert has been generated 
# from a vulnerable openssl version and replace it if necessary.
    # check if the cert and key file exist,
    # the issuer and subject are the same (self signed cert)
    # and the private key is vulnerable
# no need to perform any check. If the certificates are there
# it will exit 0.
# allow group ssl-cert to access /etc/ssl/private
# If we're upgrading from an older version, fix the unreadable key:

Now, what's the ssl-cert package:

This package enables unattended installs of packages that need to create SSL certificates.

It is a simple wrapper for OpenSSL's certificate request utility that feeds it with the correct user variables.

So it is a certificate used to install packages that need to create SSL certificates, so the system generates one on the fly with the installation of this package.

As a side note, this package is not exclusive to Ubuntu, since it also appears in Debian.


It's a server-specific public and private key pair created when the server's Debian based OS is installed (like Ubuntu).

It is used in cases where no other SSL certificate is installed or configured, but encrypted communication is enabled and desired.

While it does securely encrypt traffic, it is insecure and thus named 'snakeoil' because it's lack of root authority signature means it is vulnerable to the most simple man-in-the-middle attacks.

Website administrators really need to reconfigure services that reference the snakeoil key with a properly signed key from their CA, like the one they hopefully use for HTTPS.