Permissions for SSL key?

Private keys should have reading heavily restricted. Setting permissions to 600 and owned by root should work. However, there are other secure permissions settings - Ubuntu stores keys in a directory with owner root and group ssl-cert and permissions 710. This means that only members of ssl-cert can access any files in that directory. Private keys then have group ssl-cert, owner root, and permissions 640.

I had an issue getting nginx setup and came across this question. The other answer here has already directly answered the question but I thought a little more information would be helpful.

Normally, nginx is started as the root user by init scripts / systemd. However, nginx also has the ability to switch to a less privileged user for normal operations. So my question was which user is used to load the ssl certificate/key? The initial privileged user or the one that is switched to?

Fortunately, nginx uses the initial permissions to read the certificate and key into memory before switching users. So, normally, you really can leave the keys with very restricted permissions as they are loaded by nginx when it's still running as root.

The problem that I was running into that landed me here was that I was defining ssl_certificate only in my server blocks in nginx.conf. I was getting errors like [error] 18606#18606: *311 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking when I knew darn good and well that my keys were in the right place. That issue was that I didn't have a ssl_certificate at the http level of nginx.conf.

Hope this is helpful for someone.