CODEWITHSUNDEEP
githubssl-certificate
tim_xyz
tim_xyz

Reputation: 13511

Should files involved in SSL certificate be kept confidential (added to .gitignore)?

In the process of setting up an SSL certificate for my site, several different files were created,

Should these be added to .gitignore before pushing my site to github?

Apologies in advance if this is a dumb question.

Upvotes: 31

Views: 17020

Answers (2)

kap
kap

Reputation: 1804

I would like to add to @VonC 's answer, as it is in fact more complicated:

The files have different content, and depending on that they require a different access control:

  • server.csr: This is a certificate signing request file. It is generated from the key (server.key in your case) and used to create the certificate (site_name.crt in your case). This should be deleted when the certificate has been created. It should not be shared with untrusted parties.
  • server.key: This is the private key. Under no circumstances can this file be shared outside of the server. It cannot end up in a code repository. On the system it must be stored with 0600 permissions (i.e. read only) owned by either root or the web server user. At least in Linux, in Windows user access rights are handled differently, but it has to be done similarly.
  • site_name.crt: This is the signed certificate. This is considered to be public. The certificate is essentially the public key. It is sent out to everyone that connects to the server. It can be stored in the repository. (The hint from @VonC is correct, code and data should be separated, but it can be e.g. in a separate repository for the deployment).
  • server.pass.key: Don't know what this is, but it seems to contain the password to get access to the key. If this is the case the same rules as for the key apply: Never share with anyone.

Upvotes: 15

VonC
VonC

Reputation: 1326576

Should these be added to .gitignore before pushing my site to github?

They should not be in the repo at all, meaning stored outside of the repo.
That way:

  • you don't need to manage a .gitignore,
  • you can store those keys somewhere safe.

GitHub actually had to change it search feature back in 2013 after seeing users storing keys and passwords in public repositories. See the full story.

The article includes this quote:

The mistakes may reflect the overall education problem among software developers.

When you have expedited programs—"6 weeks and you'll be a real software developer"—to teach developing, security becomes an afterthought. And considering "90 percent of development is copying stuff you don't understand, I'd bet most of them simply don't know what id_rsa is"

In 2016, this "book" (as a joke) reflects that:

https://twitter.com/DomBurf/status/707473924137881600

The OP adds:

I think Heroku requires putting the files into the repo in order to run ">heroku certs:add server.crt server.key" and setup the cert.

"Configuration and Config Vars" is one illustration on that topic:

A better solution is to use environment variables, and keep the keys out of the code. On a traditional host or working locally you can set environment vars in your bashrc file. On Heroku, you use config vars.

The article "Heroku: SSL Endpoint" does not force you to have those key and certificate in your code. They can be generated directly on Heroku and saved anywhere else for safekeeping. Just not in a git repo.

Upvotes: 32

Related Questions