Public bug reported: Binary package hint: ubuntu-docs
The page at https://help.ubuntu.com/10.04/serverguide/C/certificates- and-security.html instructs people to generate a password-protected private key (using the -des3 option), but then to strip the password from the key, and then continue using that "insecure" key. It would be simpler to not password-protect the generated key in the first place, by just dropping the -des3 option to genrsa. Password-protecting a private key only makes sense if the password- protected version of the key is used, and the server is set up in such a way as to prompt for that password after reboot (for some very high security applications this may be needed). Obviously, this is rather inconvenient, and such level of security is not needed in most cases. If the password is stripped anyways before installing the private key on the production server, then the fact that the key was initially generated with a password (which was then stripped before installation) doesn't make it any more secure than if it was generated without a password in the first place. With the instructions written as is, people might misunderstand that TWO private keys are being generated, with additional security being conferred by the fact that one was password protected (... whereas in reality, it is one and same private key, of which the password is merely getting stripped...). ** Affects: ubuntu-docs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/733275 Title: Confusing "password" instructions in certificates-and-security.html page -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
