Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should files involved in SSL certificate be kept confidential (added to .gitignore)?

In the process of setting up an SSL certificate for my site, several different files were created,

  • server.csr
  • server.key
  • server.pass.key
  • site_name.crt

Should these be added to .gitignore before pushing my site to github?

Apologies in advance if this is a dumb question.

like image 821
tim_xyz Avatar asked Mar 09 '16 08:03

tim_xyz


People also ask

How do you store SSL certificates safely?

Simple answer: store them in Keeper. With Keeper, these digital assets are fully encrypted locally on your device with 256-bit AES and the ciphertext is stored in Keeper's Cloud Security Vault.

How do I ignore a certificate in git?

Prepend GIT_SSL_NO_VERIFY=true before every git command run to skip SSL verification. This is particularly useful if you haven't checked out the repository yet. Run git config http. sslVerify false to disable SSL verification if you're working with a checked out repository already.

What is SSL certificate problem in git?

When pushing, pulling, or cloning, Git cannot verify your SSL certification, which leads to the error. A valid HTTPS handshake requires both the client and the server to create a secure connection, allowing for safe communication between your local machine and where the source code is hosted.

What is an SSL certificate and how does it work?

An SSL certificate is a file installed on a website's origin server. It's simply a data file containing the public key and the identity of the website owner, along with other information. Without an SSL certificate, a website's traffic can't be encrypted with TLS.

Where is the SSL certificate stored?

The certificate is essentially the public key. It is sent out to everyone that connects to the server. It can be stored in the repository. (The hint from @VonC is correct, code and data should be separated, but it can be e.g. in a separate repository for the deployment).

What is the most important for SSL/TLS strong encryption?

The most important is to make sure the *.key files are only readable by root ( SSL/TLS Strong Encryption: FAQ ). My experience is that it could be realized also to other files of the certificates (like *.crt for example). In some particular case, the localization can be different of course.

What permissions do I need for SSL/TLS?

The directory permissions should be 700, the file permissions on all the files should be 600, and the directory and files should be owned by root. Show activity on this post. The most important is to make sure the *.key files are only readable by root ( SSL/TLS Strong Encryption: FAQ ).

What are the files in a Certificate Signing Request?

The files have different content, and depending on that they require a different access control: server.csr: This is a certificate signing request file. It is generated from the key ( server.key in your case) and used to create the certificate ( site_name.crt in your case). This should be deleted when the certificate has been created.


1 Answers

Should these be added to .gitignore before pushing my site to github?

They should not be in the repo at all, meaning stored outside of the repo.
That way:

  • you don't need to manage a .gitignore,
  • you can store those keys somewhere safe.

GitHub actually had to change it search feature back in 2013 after seeing users storing keys and passwords in public repositories. See the full story.

The article includes this quote:

The mistakes may reflect the overall education problem among software developers.

When you have expedited programs—"6 weeks and you'll be a real software developer"—to teach developing, security becomes an afterthought. And considering "90 percent of development is copying stuff you don't understand, I'd bet most of them simply don't know what id_rsa is"

In 2016, this "book" (as a joke) reflects that:

https://twitter.com/DomBurf/status/707473924137881600


The OP adds:

I think Heroku requires putting the files into the repo in order to run ">heroku certs:add server.crt server.key" and setup the cert.

"Configuration and Config Vars" is one illustration on that topic:

A better solution is to use environment variables, and keep the keys out of the code. On a traditional host or working locally you can set environment vars in your bashrc file. On Heroku, you use config vars.

The article "Heroku: SSL Endpoint" does not force you to have those key and certificate in your code. They can be generated directly on Heroku and saved anywhere else for safekeeping. Just not in a git repo.

like image 123
VonC Avatar answered Sep 20 '22 17:09

VonC