SSL cert/key location

seth vidal skvidal at phy.duke.edu
Wed Dec 22 15:13:18 UTC 2004


On Wed, 2004-12-22 at 16:11 +0100, Farkas Levente wrote:
> Chris Adams wrote:
> > Once upon a time, Axel Thimm <Axel.Thimm at ATrpms.net> said:
> > 
> >>Indeed, I always wondered why the certificates had been put under
> >>/usr/share/ssl and by whom. The FHS had been quite strict on this from
> >>the very beginning.
> >>
> >>/etc seems a rather sane place. Perhaps /etc/ssl/?
> > 
> > 
> > You'll need to modify OpenSSL to handle multiple "default" directories.
> > Currently I think you can only specify a single directory for certs (the
> > certs setting under the CA_default section in openssl.cnf).
> > Applications use OpenSSL calls to validate the cert chain, so it'll need
> > to look in the local directory (/etc/ssl/certs) first and then the other
> > directory (/usr/share/ssl/certs) when walking the cert chain.  The crl
> 
> why we need /usr/share/ssl/ at all? /etc/ssl would be enough (as one 
> directory)!
> 

And /etc/ssl would be FHS Compliant b/c the certs look a lot like a
configuration/data file. At the very least the certs should be in /var
but definitely not /usr

-sv





More information about the fedora-devel-list mailing list