views:

11

answers:

1

I want to offer ready-to-deploy Public Ubuntu Lucid AMIs on Amazon Web Services EC2. As these AMIs use open-source web apps, I want to pre-configure apache mod_ssl and force all traffic over https. That's easy enough.

I'm interested in a sanity check: just how insecure would it be to deploy without a first run script that generates a new CSR and server.key / server.crt files? (i.e., anyone who accesses the AMI will get a copy of the server.key used by anyone else running an instance launched from this AMI?

I have yet to see public AMIs from reputable community/enterprise companies offer AMIs in this manner- in fact most offer them without mod_ssl at all- leaving that up to the sys admin.

-Jack Murgia

+1  A: 

I would definitely generate a unique key on primary launch of the public instance. People are way too likely to be lazy and just use whatever certificate you provide for them. Since they'd all of the same certificate (and private key), it means that any of them could impersonate any other instance of the same AMI. It also means that any of them could MITM or decrypt the web traffic sent to or from any of the other instances.

In general, you should probably always generate fresh cryptographic materials for each initial launch of a public AMI.

Eadwacer
Thanks- seemed like a no-brainer and surprised I could not see a mention of this in the AWS EC2 developer guide. A larger issue I have uncovered in my research is the role the entropy source pool plays in this. Any comments n this subject are very welcome.
Cloud Controller
Mind marking this as an answer then, when you have the chance? Thanks.
Eadwacer