0

I've read so many answers and tutorials and post about push notification, I've managed the registration, creating the certificates p12 and pem files as well as apple provisioning just fine so my application knows how to receive push notifications (or at least it looks like it does)

Now I'm trying to set my server side - python/django. I've uploaded the key & cert pem files into my server folder, following this answer here at SO. I'm getting an error when i try to ssl_sock.connect( theHost ) since the pem has a paraphrase, I've read many people saying just to remove the paraphrase but then isn't the whole security public/ private key is out of the window? and if using this approach do i need to remove the paraphrase from the pem file at apple as well? or the one i've downloaded to my mac?

Community
  • 1
  • 1
liv a
  • 3,232
  • 6
  • 35
  • 76

2 Answers2

2

To expand on meda's answer - think about this:

  1. If you put a passphrase on certificate, you will need to hard-code the pass phrase somewhere in your django project, since it will need that passphrase to load the certificate.

  2. If someone compromises your server, they have your certificate. "No problem!", you think. You've got a pass phrase, so they can't do anything with it!

  3. Except they also have access to your source code.

  4. So now they have your pass phrase, and your certificate.

  5. So all you really did was add hassle for yourself, without any benefit.

Pass phrases on certificates make sense if the certificate is being stored among other shared assets, for whatever reason, or for high encryption concerns where the private key will ONLY be used manually, by an individual or group.

In all other cases, it's a complete waste of effort.

Jack Shedd
  • 3,501
  • 20
  • 27
  • so do i have to remove the paraphrase only at the server side? or load a new pem file to the apple developer site as well? – liv a Jan 09 '14 at 17:48
  • The passphrase is only used to encrypt the private key on your end. You can use a utility, e.g. openssl, to strip the passphrase and just give you the decrypted key. You don't have to upload a new key to apple. – EWit Jan 09 '14 at 17:50
  • ++ Jack has valid point here, passphrase comes handy when someone gets the `pem` without the passphrase. In your case both would be on the server. If you want to remove it you will have to re-generate the `pem` file. @liva – meda Jan 09 '14 at 18:24
0

I used PHP to accomplish this but I can tell you about what I know:

  • Passphrase is just an additional encryption layer
  • SSL encryption alone is really secure.
  • If you want to remove passphrase leave it blank when you are prompt to enter one.
meda
  • 45,103
  • 14
  • 92
  • 122
  • Can you elaborate on the first point? All the passphrase does is encrypt the private key. The passphrase does not do anything with the SSL encryption, which your answers seems to imply. – EWit Jan 09 '14 at 17:49
  • `The passphrase does not do anything with the SSL encryption` right, this is why I said "SSL encryption **alone** is really secure" maybe I didnt pick the right words. – meda Jan 09 '14 at 18:20