Secure Apache SSL Directory and File Permissions: Best Practices for cert.pem and cert.key


2 views

When configuring Apache with SSL/TLS, proper file permissions are crucial for both security and functionality. The private key (cert.key) is particularly sensitive and requires the strictest protection.

Here's the optimal permission setup for your Apache SSL configuration:


# Directory permissions
sudo chown root:root /etc/apache2/ssl
sudo chmod 750 /etc/apache2/ssl

# Certificate file permissions
sudo chown root:root /etc/apache2/ssl/cert.pem
sudo chmod 644 /etc/apache2/ssl/cert.pem

# Private key permissions
sudo chown root:ssl-cert /etc/apache2/ssl/cert.key
sudo chmod 640 /etc/apache2/ssl/cert.key

The ssl-cert group should include the Apache user (typically www-data or apache). Verify this with:


sudo usermod -a -G ssl-cert www-data  # For Debian/Ubuntu
sudo usermod -a -G ssl-cert apache    # For CentOS/RHEL

After applying these changes, test your configuration:


sudo apachectl configtest
sudo systemctl restart apache2

Check for permission-related errors in Apache's error log:


sudo tail -f /var/log/apache2/error.log

For enhanced security:

  • Regularly audit permissions with ls -la /etc/apache2/ssl
  • Consider using SELinux/AppArmor for additional protection
  • Implement certificate rotation policies

If HTTPS stops working after permission changes:

  1. Verify Apache user has read access to all files
  2. Check the ssl-cert group membership
  3. Confirm no parent directory has overly restrictive permissions

For optimal security while maintaining functionality, here are the recommended permissions:


# Directory permissions
sudo chmod 750 /etc/apache2/ssl

# Certificate file permissions
sudo chmod 644 /etc/apache2/ssl/cert.pem

# Private key file permissions
sudo chmod 600 /etc/apache2/ssl/cert.key

The ownership should be set as follows:


sudo chown root:root /etc/apache2/ssl
sudo chown root:root /etc/apache2/ssl/cert.pem
sudo chown root:root /etc/apache2/ssl/cert.key

If Apache runs under a specific user (common in Debian/Ubuntu):


sudo chown root:www-data /etc/apache2/ssl
sudo chown root:www-data /etc/apache2/ssl/cert.pem
sudo chown root:www-data /etc/apache2/ssl/cert.key

To verify your settings:


ls -la /etc/apache2/ssl
stat -c "%a %n" /etc/apache2/ssl/*

Your virtual host configuration should reference these files:


<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/cert.key
    # Other configurations...
</VirtualHost>

If you encounter permission errors, check Apache logs:


sudo tail -f /var/log/apache2/error.log

Common error messages include:


[ssl:error] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[ssl:error] Unable to configure RSA certificate