Bug#790943: Root and local certificate location clash
Package: ssl-cert
Version: 1.0.35
Severity: serious
I've marked this bug serious because it could lead to security problems
if people mix root certs and other certs in the same directory
This package provides the script /usr/sbin/make-ssl-cert
It creates certificates and puts the public key / certificate PEM file
in /etc/ssl/certs
The ca-certificates package puts symlinks to CA certificates in the same
location, /etc/ssl/certs
Some other packages refer to /etc/ssl/certs as a directory of trusted
roots. E.g. according to this page: https://wiki.debian.org/ServicesSSL
the whole directory was trusted by wget in wheezy but not in jessie.
Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local
certificate files.
I did a Google search to try and find out of there is a policy about
this directory and no results were found. So I can't say that this
package is violating any specific policy or what should be done to fix
it, but I do feel the status quo is troublesome.
Should local certs go in some other directory, or should other packages
stop trusting everything in /etc/ssl/certs? If it is the latter, then
maybe some QA check is needed to evaluate how many packages refer to
that location.
I came across these pages relating to the topic:
https://wiki.debian.org/Cryptography
https://wiki.debian.org/X.509
https://wiki.debian.org/SslCertificateHandling
https://wiki.debian.org/ServicesSSL
In RHEL 7, I notice they have:
/etc/pki/tls/certs (local server certs)
/etc/pki/tls/private (private keys)
and there is no directory with a collection of root certs, just a couple
of root bundles with all certs in the same file:
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
The Fedora docs are here:
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Reply to: