Certificates

Documentation Server Guide
1

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

1 Like
2

A question/comment - should the server certificate end up in /etc/ssl/certs This path contains the trusted ca certs, and would be subject to having the c_rehash command run against everything within the /etc/ssl/certs path to update if adding a private CA to the set.

It would seem to make better sense to have an /etc/ssl/public or something else… or have /etc/ssl/certs be /etc/ssl/cacerts to disambiguate with an /etc/ssl/certs for for the signed (or selfsigned) certificate file for the host?

Or am I missing a finer point to gloming the issued (Ca signed) or self-signed certificate for the host, into the same place as the CA certificates?

3

Server certs should not be in /etc/ssl/certs. That’s for CAs.

I suspect this “trend” of putting server certs in that directory started because many people generate self-signed certs for testing (which are essentially dummy CAs), and need the client (from the same host many times) to trust it. Even then, the right place is /usr/local/share/ca-certificates and run update-ca-certificates after that. It will take care of creating a symlink in /etc/ssl/certs and running c_rehash.

1 Like
4

This passage seems then to be the point where things go wrong then, in that it instructs the end user to copy their selfsigned cert into that path (when generating one). It would be nice to establish (and document) the handling in a common place of CA signed certificates to end up in. The document goes on to discuss selfsigned CA procedures as well, instantiating a “/etc/ssl/newcert” path, but that discussion is for generating certs for multiple hosts beyond the local host scenario we are discussing.

I realize admin’s can put the server cert and key anywhere on the filesystem, it just seems to be a missed opportunity to not fully define the “private CA” signed certificate handling scenario, and having a “home” for it within that space.

5

Agreed. Could you please take a look at what I did for the ldap + tls topic, in the part where the generated certificates are copied to their final places? See what you think?

We should probably correctly define this here instead of repeating it over and over for each service that supports TLS/SSL.

6

@ahasenack - Thank you - I came to this page trying to figure out how to give a linux application access to read the SSL Certificate private key and Cert - I found that not here but at the link you posted above. Appreciate that. I would like to add to your writeup that one of those packages, either “gnutls-bin” or “ssl-cert” must be installed in order to create the “ssl-cert” group in the /etc/groups file that should be used to set the permissions on the directory where the hosts ssl certs that processes like apache, Postgres, etc need in order to start up

Appreciate the good documentation !

-Matt

7

Great documentation thank you! I think there may be one small error, this has you create the /etc/ssl/newcerts directory, but I do not see any configuration that specifies that as the new certs directory for openssl. I believe your [ ca_default ] section should be updated with the line new_certs_dir = $dir/newcerts Thank you!

8

Hi @afewell,

While you stand correct, the ca_default section for a default openssl installation already contains that entry for new_certs_dir. Do note that this docs only suggest that the user should make specific changes to that configuration section (instead of re-writing the whole section or configuration file).