SSL cert/key location (was: rawhide report: 20041217 changes)

[Chris Adams]

Once upon a time, Axel Thimm <Axel.Thimm at ATrpms.net> said:
> Indeed, I always wondered why the certificates had been put under
> /usr/share/ssl and by whom. The FHS had been quite strict on this from
> the very beginning.
> 
> /etc seems a rather sane place. Perhaps /etc/ssl/?

You'll need to modify OpenSSL to handle multiple "default" directories.
Currently I think you can only specify a single directory for certs (the
certs setting under the CA_default section in openssl.cnf).
Applications use OpenSSL calls to validate the cert chain, so it'll need
to look in the local directory (/etc/ssl/certs) first and then the other
directory (/usr/share/ssl/certs) when walking the cert chain.  The crl
directory should be similar (so you can add local revocations).

What may be a good idea is to have "well known" names for services, like
/etc/ssl/certs/imap, /etc/ssl/certs/smtp, etc.  Then you could configure
sendmail for example to use /etc/ssl/certs/smtp.  The admin can choose
which cert to use for SSL by symlinking /etc/ssl/certs/smtp to
/etc/ssl/certs/mycert.pem (without having to reconfigure sendmail).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.