SSL cert/key location (was: rawhide report: 20041217 changes)
Chris Adams
cmadams at hiwaay.net
Wed Dec 22 14:58:25 UTC 2004
Once upon a time, Axel Thimm <Axel.Thimm at ATrpms.net> said:
> Indeed, I always wondered why the certificates had been put under
> /usr/share/ssl and by whom. The FHS had been quite strict on this from
> the very beginning.
>
> /etc seems a rather sane place. Perhaps /etc/ssl/?
You'll need to modify OpenSSL to handle multiple "default" directories.
Currently I think you can only specify a single directory for certs (the
certs setting under the CA_default section in openssl.cnf).
Applications use OpenSSL calls to validate the cert chain, so it'll need
to look in the local directory (/etc/ssl/certs) first and then the other
directory (/usr/share/ssl/certs) when walking the cert chain. The crl
directory should be similar (so you can add local revocations).
What may be a good idea is to have "well known" names for services, like
/etc/ssl/certs/imap, /etc/ssl/certs/smtp, etc. Then you could configure
sendmail for example to use /etc/ssl/certs/smtp. The admin can choose
which cert to use for SSL by symlinking /etc/ssl/certs/smtp to
/etc/ssl/certs/mycert.pem (without having to reconfigure sendmail).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-devel-list
mailing list