Permissions for SSL key?
I'm trying to set up a secure connection (https) in nginx.
But I'm a bit worried about the private key's permissions, which aren't mentioned in any tutorial.
Should I change them? To what?
Solution 1:
Private keys should have reading heavily restricted. Setting permissions to 600
and owned by root
should work. However, there are other secure permissions settings - Ubuntu stores keys in a directory with owner root
and group ssl-cert
and permissions 710
. This means that only members of ssl-cert
can access any files in that directory. Private keys then have group ssl-cert
, owner root
, and permissions 640
.
Solution 2:
I had an issue getting nginx setup and came across this question. The other answer here has already directly answered the question but I thought a little more information would be helpful.
Normally, nginx is started as the root
user by init scripts / systemd. However, nginx also has the ability to switch to a less privileged user for normal operations. So my question was which user is used to load the ssl certificate/key? The initial privileged user or the one that is switched to?
Fortunately, nginx uses the initial permissions to read the certificate and key into memory before switching users. So, normally, you really can leave the keys with very restricted permissions as they are loaded by nginx when it's still running as root
.
The problem that I was running into that landed me here was that I was defining ssl_certificate
only in my server
blocks in nginx.conf
. I was getting errors like [error] 18606#18606: *311 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking
when I knew darn good and well that my keys were in the right place. That issue was that I didn't have a ssl_certificate
at the http
level of nginx.conf
.
Hope this is helpful for someone.