Re: TLS with Encrypted Private Key
- On Aug 5, 2013, at 07:12, Yishen Miao <mys721tx@...> wrote:
> I'm trying to re-use my SSL certificate for Apache on postfix which is encrypted. It would be convent if postfix can support that.Do not top-post, please.
> Also, an encrypted private key that is read-only for root sounds more secure than a plain one in the worse problem scenarios. :-p
As for the certificate, I assume that you are talking about a private
key with a password? Have a look at the OpenSSL documentation, there's
probably a way to export/convert your password-protected private key to
one that does not require a password to be entered.
Also, 'sounds more secure' is pretty much the only benefit you would
get from Postfix support for such private keys. Because if someone can
read your private key, they have root privileges, and they could just
replace your certificate completely. In other words, it only sounds
more secure, but isn't in practice.
> On Aug 4, 2013, at 9:54 PM, wietse@... (Wietse Venema) wrote:
>> Yishen Miao:
>>> Hello world,
>>> I was configuring my postfix server for TLS support today and found
>>> out that Postfix does not support encrypted private key.
>>> I wonder is there any plan about adding such feature to postfix?
>> There are no such plans. If random people can read a private key
>> file that is read-only for root, then you have worse problems than
>> email security.