I hate to dogpile, but yup, security is a process. If you could add security to a product the way you add condiments to a burger at Harvey's, the world would be a much safer place! That said, it sounds like you have a Linux system which users don't routinely access (in other words, it boots and runs the programs you want, but there's no default terminal access through sshd, a monitor, or otherwise) The reason you put a passphrase on a certificate is to protect the certificate from theft and malicious use - so if for some reason the certificate file itself may be vulnerable to copying or reading, you secure it with a passphrase which can't be copied as easily (it's in somebody's head, it's in a script that most users can't read, etc.) So in your case, I think that the security ramifications of using a certificate with or without a passphrase are the same - you're primarily concerned about attacks at the network level, including traffic capture and analysis or man in the middle attacks. Both kinds of certificate behave the same way in that regard. I'm taking some guesses there, please correct any poor assumptions. Woogie On Thu, Apr 1, 2010 at 9:59 AM, Spencer Cheng <scheng [ at ] aotera [ dot ] org> wrote: > > On Wed, Mar 31, 2010 at 14:55:04 -0400, piper.guy1 wrote: >> On Wed, Mar 31, 2010 at 2:35 PM, Joe Burpee <jeb [ at ] burkby [ dot ] com> wrote: >>> On Wed, Mar 31, 2010 at 12:54:20 -0400, piper.guy1 wrote: >>>> 1. Can you create PEM's in OpenSSL without a passphrase? >>> >>> openssl req -nodes ... >> >> Now, as a newbie to security, what's my risk exposure? > > > It's not that simple. How secure your system is a function of your threat model, how the system is designed and how it is implemented. Adding a certificate without password may or may not affect the security level of your system. > > Regards, > Spencer > > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux > -- Evil will always triumph, because good is dumb