Is it be a good idea to own the key file with root? With only read permissions for the file and completely outside of webroot?
The protection offered by root ownership of keys is only valid when the daemon in question starts as root to read the keys and then discards root with setuid. It can then never read the keys again and must keep them in memory.
Apache does do this for the SSL keys, but by the time it is serving PHP pages, it is well after the startup process without root and this protection is not available. The web server/PHP must be able to read the key as the apache/web user.
The only thing ownership by root would give at this point would be to prevent overwriting of the key file with a new key. But since this is no different from being owned by nobody, I'd do it that way.
Having the key file completely outside the webroot is certainly the best way to have it, and is already a recommendation specified in the module.
How many Drupal site builders actually have root access to the machine they are deployed on anyway? I do on our dedicated servers, but all of the other hosting solutions people have thrown at me have been been shared hosting with a low privilege user.
Much appreciated ELC, will set them to nobody then.
Drupal is a registered trademark of Dries Buytaert.