Sanity Check - Should my Public AMIs for EC2 generate new Apache SSL Certs on First Boot?

Question

I want to offer ready-to-deploy Public Ubuntu Lucid AMIs on Amazon Web Services EC2. As these AMIs use open-source web apps, I want to pre-configure apache mod_ssl and force all traffic over https. That's easy enough.

I'm interested in a sanity check: just how insecure would it be to deploy without a first run script that generates a new CSR and server.key / server.crt files? (i.e., anyone who accesses the AMI will get a copy of the server.key used by anyone else running an instance launched from this AMI?

I have yet to see public AMIs from reputable community/enterprise companies offer AMIs in this manner- in fact most offer them without mod_ssl at all- leaving that up to the sys admin.

-Jack Murgia

Answer 1

I would definitely generate a unique key on primary launch of the public instance. People are way too likely to be lazy and just use whatever certificate you provide for them. Since they'd all of the same certificate (and private key), it means that any of them could impersonate any other instance of the same AMI. It also means that any of them could MITM or decrypt the web traffic sent to or from any of the other instances.

In general, you should probably always generate fresh cryptographic materials for each initial launch of a public AMI.