用户配置SSL证书与密钥的强文件权限是至关重要的,可防止未授权访问导致的安全风险。下面是详细配置细节指导:
1. 基础权限原则
证书文件(.crt/.pem)
bash
证书可公开读取,但不应被普通用户写入
chmod 644 server.crt
chown root:root server.crt
私钥文件(.key)
bash
私钥必须严格保护,仅所有者可读
chmod 600 server.key
chown root:root server.key
中间证书
bash
chmod 644 intermediate.crt
chown root:root intermediate.crt
2. 完整部署脚本
bash
#!/bin/bash
# ssl-permissions-setup.sh
SSL_DIR="/etc/ssl"
CERT_NAME="example.com"
1. 创建专用SSL用户组(推荐)
groupadd ssl-cert 2>/dev/null || true
2. 设置目录权限
chmod 755 $SSL_DIR
chown root:root $SSL_DIR
3. 设置证书文件权限
chmod 644 $SSL_DIR/certs/${CERT_NAME}.crt
chmod 644 $SSL_DIR/certs/${CERT_NAME}.chain.crt
chown root:ssl-cert $SSL_DIR/certs/${CERT_NAME}.crt
4. 设置私钥权限(最严格)
chmod 600 $SSL_DIR/private/${CERT_NAME}.key
chown root:ssl-cert $SSL_DIR/private/${CERT_NAME}.key
5. 设置私钥目录权限
chmod 710 $SSL_DIR/private
chown root:ssl-cert $SSL_DIR/private
6. 添加服务用户到ssl-cert组(如nginx, apache)
usermod -a -G ssl-cert nginx
usermod -a -G ssl-cert www-data
7. 设置umask避免创建弱权限文件
echo "umask 077" >> /etc/profile.d/ssl-umask.sh
3. Nginx/Apache配置
Nginx配置示例
nginx
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
确保nginx用户有权限读取
nginx用户应在ssl-cert组中
}
检查Nginx用户权限:
bash
id nginx
groups nginx # 应包含ssl-cert组
4. 自动化监控脚本
bash
#!/bin/bash
# ssl-permissions-monitor.sh
check_ssl_permissions() {
local key_files=$(find /etc/ssl /etc/nginx /etc/apache2 -name "*.key" -type f)
local vulnerable=0
for key in $key_files; do
perms=$(stat -c "%a" "$key")
owner=$(stat -c "%U" "$key")
if [[ $perms != "600" ]] || [[ $owner != "root" ]]; then
echo "ALERT: Weak permissions on $key"
echo " Permissions: $perms (should be 600)"
echo " Owner: $owner (should be root)"
vulnerable=1
fi
done
return $vulnerable
}
定期检查(加入cron)
/30 /usr/local/bin/ssl-permissions-monitor.sh
5. Docker环境配置
dockerfile
Dockerfile示例
FROM nginx:alpine
创建专用用户和组
RUN addgroup -S ssl-cert && \
adduser -S nginx -G ssl-cert
设置SSL目录
RUN mkdir -p /etc/ssl/private /etc/ssl/certs && \
chmod 710 /etc/ssl/private && \
chmod 755 /etc/ssl/certs && \
chown root:ssl-cert /etc/ssl/private
复制证书文件(构建时设置正确权限)
COPY --chown=root:ssl-cert --chmod=600 server.key /etc/ssl/private/
COPY --chown=root:ssl-cert --chmod=644 server.crt /etc/ssl/certs/
6. 自动化工具推荐
使用`certbot`自动续期时的权限
bash
Certbot默认会设置正确权限,但建议验证
certbot renew --post-hook "chmod 600 /etc/letsencrypt/live/*/privkey.pem"
使用Ansible自动化配置
yaml
ansible-playbook-ssl-permissions.yml
name: Configure SSL permissions
hosts: webservers
tasks:
name: Create ssl-cert group
group:
name: ssl-cert
state: present
name: Set certificate permissions
file:
path: /etc/ssl/certs/{{ item }}
mode: '0644'
owner: root
group: ssl-cert
loop: "{{ ssl_certificates }}"
name: Set private key permissions
file:
path: /etc/ssl/private/{{ item }}
mode: '0600'
owner: root
group: ssl-cert
loop: "{{ ssl_private_keys }}"
_NAME}.chain.crt
chown root:ssl-cert $SSL_DIR/certs/${CERT_NAME}.crt
遵循这些指南可显著降低SSL/TLS密钥泄露风险。
7. 安全检查清单
定期执行以下检查:
bash
1. 检查私钥权限
find / -name "*.key" -type f -exec ls -la {} \;
2. 检查是否有全局可读的私钥
find / -name "*.key" -type f -perm -o+r -exec echo "VULNERABLE: {}" \;
3. 验证证书链完整性
openssl verify -CAfile ca.crt server.crt
4. 检查私钥是否匹配证书
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
两个MD5值应相同
8. 应急响应
如果发现权限问题:
bash
立即修复权限
chmod 600 /path/to/compromised.key
检查是否有未授权访问
lastlog | grep -v "Never logged in"
考虑重新生成密钥
openssl genrsa -out new.key 4096
chmod 600 new.key
重新签发证书
最佳实践总结
1. 最小权限原则:仅授予必要的最小权限
2. 专用用户组:创建`ssl-cert`组管理访问
3. 定期审计:监控权限变更
4. 自动化部署:使用配置管理工具确保一致性
5. 隔离存储:私钥存储在专用目录
6. 备份保护:加密备份SSL材料
用户遵循这些指南可显著降低SSL证书密钥泄露风险。
