|
How to change your pass phrase |
The private key part pertaining to your certificate is (and should)
be protected with a strong encryption algorithm. This algorithm, usually
3DES, needs a secret pass phrase. From time to time, you may want to
change this pass phrase for security reasons.
This document describes how you do it.
Have your X.509 key file ready and run the following command:
openssl rsa -in userkey.pem -des3 -out newkey.pem
This command can be run from your ~/.globus directory, possibly
after mounting the appropriate media. You will have to give your `old'
passphrase first, followed by (twice) your new pass phrase.
When you're done, rename the file newkey.pem.
Remember to set the appropriate access mask for your new file
(on *NIX systems it should be 0400).
If you are working in a secure environment and have your private key
stored on removable media, we advise you to sanitize the media that
contained your old private key. Only in this way can you be sure
that your `old' passphrase cannot be used to compromise your private key.
See, for example, the DoD 5220.22-M standard on how to best
sanitize your media.
David Groep <davidg@nikhef.nl>