[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: server certificates/key pairs and CA directories

Daniel Pocock <daniel <at> pocock.pro> writes:

> I looked at the package ssl-cert to try and understand and there I found
> that it is using /etc/ssl/certs for server certs while other packages

Do NOT do that.

It’s causing trouble because some software (e.g. Gajim) reads all files
under /etc/ssl/certs/ not just the hashed ones – presumably because
OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS
keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both).

My suggestion is:

/etc/ssl/private/foo.key  ← 0640 root:ssl-cert, secret key
/etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH
/etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root

Then make sure to use the same “foo”.


Reply to: