On 08/05/2015 07:11 AM, Thorsten Glaser wrote:
Bas Wijnen <wijnen <at> debian.org> writes:Certificates are placed in /etc/ssl/certs/.No, in /etc/ssl. /etc/ssl/certs/ is for Root CA certificates *only*.
(sorry for responding to a very old message)Really? I've often put the local machine's cert(s) in there. The private key goes in private, and the certificate in certs.
That's also how, for example, the autogenerated snakeoil cert works. That's where make-ssl-cert puts it.
If this isn't how its supposed to be used, that's surprising, and especially if its actually a security issue, ought to be documented in at least one of:
- a README in /etc/ssl/ or /etc/ssl/certs - man update-ca-certificates - /usr/share/doc/ca-certificates/README.Debian - /usr/share/doc/openssl/README.Debian - bug #26406 (just kidding)all of which I checked, and they either don't exist (that first one) or don't say to only put CA certs in /etc/ssl/certs.
And as noted above, ssl-cert puts the default snakeoil certs there—so that's the path you see in, e.g., shipped config files. Which naturally suggests to the admin that's where they belong.