Information
It is critical to protect the server's private key. The server's private key is encrypted by default as a means of protecting it. However, having it encrypted means that the passphrase is required each time the server is started up, and now it is necessary to protect the passphrase as well. The passphrase may be typed in when it is manually started up or provided by an automated program. To summarize, the options are:
Use SSLPassPhraseDialog builtin, - requires a passphrase to be manually entered.
Use SSLPassPhraseDialog |/path/to/program to provide the passphrase.
Use SSLPassPhraseDialog exec:/path/to/program to provide the passphrase,
Store the private key in clear text so that a passphrase is not required.
Any of the above options 1-4 are acceptable as long as the key and passphrase are protected as described below. Option 1 has the additional security benefit of not storing the passphrase, but is not generally acceptable for most production web servers, since it requires the web server to be manually started. Options 2 and 3 can provide additional security if the programs providing them are secure. Option 4 is the simplest, is widely used and is acceptable as long as the private key is appropriately protected.
Rationale:
If the private key were to be disclosed, it could be used to decrypt all of the SSL communications with the web server as well as to impersonate the web server.
Solution
Perform the following to implement the recommended state:
All private keys must be stored separately from the public certificates. Find all SSLCertificateFile directives in the Apache configuration files. For any SSLCertificateFile directives that do not have a corresponding separate SSLCertificateKeyFile directive, move the key to a separate file from the certificate, and add the SSLCertificateKeyFile directive for the key file.
For each of the SSLCertificateKeyFile directives, change the ownership and permissions on the server private key to be owned by root:root with permission 0400.