We are considering eliminating crt&key exposure.
When lighttpd restart, pem file must be present for the webServer.
but this is a plain text file, so there is a risk of exposure.
So, i try to use after lighttpd restart, delete pem file(ssl.pemfile) until the lighttpd restart.
i wonder if i can use this method?
RE: lighttpd ssl.pemfile - Added by gstrauss 21 days ago
lighttpd currently reads the .pem and .privkey files at startup, so that will probably work with current versions of lighttpd.
However, one better solution might be to put a public-facing proxy such as HAProxy on a separate server with those more sensitive keys, and to generate your own internal certificates (which you rotate more frequently) for use between HAProxy and your lighttpd server(s).