SSL certificate management/storage
Nalin Dahyabhai
nalin at redhat.com
Fri Feb 4 23:25:21 UTC 2005
On Fri, Feb 04, 2005 at 11:50:09PM +0100, Aurelien Bompard wrote:
> Joe Orton wrote:
> > 1. certificate storage is split between /etc/httpd/conf/ssl.*
> > for mod_ssl-specific stuff, and and /usr/share/ssl for system-wide
> > 2. ... and /usr/share/ssl is Very Wrong for "config data" like certs
> > 3. increasing number of daemon packages are creating self-signed
> > certs in %post scripts; could/should this be unified?
>
> For what it's worth, Debian puts its certs in /etc/ssl/certs.
> There may be a problem with apache accessing files in /etc/ssl because of
> SELinux, but I don't know much about SELinux yet.
>
> Having the contents of /usr/share/ssl in /etc would be nice, since it's
> mainly config files (except the scripts).
I agree with moving the files from /usr to /etc. The specific name
isn't all that important (though I suspect it'll make for some lively
debate -- "but certificates aren't SSL-specific, so call it 'certs'!"
"but I don't keep my OpenPGP certificates there, so call it 'ssl'!" "oh,
just call it 'pki' already!")
The main concern in my mind is making sure that applications which
explicitly configure OpenSSL to look in particular locations don't
suddently break if/when the set of trusted CA certs is moved, and that
the location to where they're being moved is well-known, so that things
don't get more confusing in the process. If we stash a symlink in
/usr/share/ssl, then packages can move to the using/referencing the new
location on a case-by-case basis, with the plan being to get them all
switched over in Raw Hide before some to-be-determined date.
I guess that leaves the naming debate. I propose we move this stuff to
"/etc/x509-certificates-and-corresponding-private-keys-and-other-related-files".
Cheers,
Nalin
More information about the fedora-devel-list
mailing list