[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#790943: Root and local certificate location clash

Package: ssl-cert
Version: 1.0.35
Severity: serious

I've marked this bug serious because it could lead to security problems
if people mix root certs and other certs in the same directory

This package provides the script /usr/sbin/make-ssl-cert

It creates certificates and puts the public key / certificate PEM file
in /etc/ssl/certs

The ca-certificates package puts symlinks to CA certificates in the same
location, /etc/ssl/certs

Some other packages refer to /etc/ssl/certs as a directory of trusted
roots.  E.g. according to this page: https://wiki.debian.org/ServicesSSL
the whole directory was trusted by wget in wheezy but not in jessie.

Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local
certificate files.

I did a Google search to try and find out of there is a policy about
this directory and no results were found.  So I can't say that this
package is violating any specific policy or what should be done to fix
it, but I do feel the status quo is troublesome.

Should local certs go in some other directory, or should other packages
stop trusting everything in /etc/ssl/certs?  If it is the latter, then
maybe some QA check is needed to evaluate how many packages refer to
that location.

I came across these pages relating to the topic:

In RHEL 7, I notice they have:

/etc/pki/tls/certs   (local server certs)
/etc/pki/tls/private (private keys)

and there is no directory with a collection of root certs, just a couple
of root bundles with all certs in the same file:


The Fedora docs are here:

Reply to: