Re: server certificates/key pairs and CA directories
Daniel Pocock <daniel <at> pocock.pro> writes:
> I looked at the package ssl-cert to try and understand and there I found
> that it is using /etc/ssl/certs for server certs while other packages
Do NOT do that.
It’s causing trouble because some software (e.g. Gajim) reads all files
under /etc/ssl/certs/ not just the hashed ones – presumably because
OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS
keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both).
My suggestion is:
/etc/ssl/private/foo.key ← 0640 root:ssl-cert, secret key
/etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH
/etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root
Then make sure to use the same “foo”.