Insecure permissions on SSL Key Files
SSL Key Files uploaded via the Web Interfaces have insecure permissions, they are word readable. Instead, they should be restricted to root. The Keys have been uploaded by pasting both key and certificate into the web interface and use the "Save Certificate" option. The Key file has not been created by ISPConfig (i.e. existing key/cert pairs).
Using current ISPConfig with Debian Wheezy, installed as per the "Perfect Server Setup" on Howtoforge.
The result:
root@isp:/var/www# ls */ssl -la
foo.bar/ssl: insgesamt 16 drwxr-xr-x 2 root root 4096 Jun 18 13:52 . drwxr-xr-x 9 root root 4096 Jun 18 13:47 .. -rw-r--r-- 1 root root 2086 Jun 18 13:52 foo.bar.crt -rw-r--r-- 1 root root 3294 Jun 18 13:52 foo.bar.key
foo.baz/ssl: insgesamt 16 drwxr-xr-x 2 root root 4096 Jun 14 22:00 . drwxr-xr-x 9 root root 4096 Jun 14 21:59 .. -rw-r--r-- 1 root root 2084 Jun 14 22:00 foo.baz.crt -rw-r--r-- 1 root root 3294 Jun 14 22:00 foo.baz.key
If you need more information, please let me know.