Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Change private key ownership #816

Open
ian-abbott opened this issue Oct 10, 2023 · 0 comments
Open

Feature Request: Change private key ownership #816

ian-abbott opened this issue Oct 10, 2023 · 0 comments
Assignees
@timkimber
Labels
enhancement

Comments

@ian-abbott
Copy link

Some services (such as the MySql daemon) might not run as root (or the user that runs getssl), but might need access to the private key. On some systems, that is done by making the private key readable by members of the "ssl-cert" group. Then the service that needs to read the private key can be made to run as a user that is a member of the ssl-cert group.

getssl creates private keys with mode 0600 owned by the effective user and group. It would be nice if there was an option to change some of those. For example, setting a PRIVATE_KEY_GROUP_OWNER variable to a group name (e.g. "ssl-cert") or GID could result in the group owner being changed to that group and the mode being changed to 0640.

There are also the various .pem files that get the private key bundled in (DOMAIN_KEY_CERT_LOCATION and DOMAIN_PEM_LOCATION) to consider.
@ian-abbott ian-abbott changed the title Change private key ownership Feature Request: Change private key ownership Oct 10, 2023
@timkimber timkimber self-assigned this Nov 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timkimber timkimber

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ian-abbott @timkimber