[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: certificate creation in postinst, potentially using letsencrypt script



Quoting Anthony DeRobertis (2015-11-20 03:06:20)
> On 08/05/2015 07:11 AM, Thorsten Glaser wrote:
>> Bas Wijnen <wijnen <at> debian.org> writes:
>>
>>> Certificates are placed in /etc/ssl/certs/.
>> No, in /etc/ssl. /etc/ssl/certs/ is for Root CA certificates *only*.
>
> (sorry for responding to a very old message)

Thanks for doing so.


> Really? I've often put the local machine's cert(s) in there. The private 
> key goes in private, and the certificate in certs.
>
> That's also how, for example, the autogenerated snakeoil cert works. 
> That's where make-ssl-cert puts it.
>
> If this isn't how its supposed to be used, that's surprising, and 
> especially if its actually a security issue, ought to be documented in 
> at least one of:
> 
>   - a README in /etc/ssl/ or /etc/ssl/certs
>   - man update-ca-certificates
>   - /usr/share/doc/ca-certificates/README.Debian
>   - /usr/share/doc/openssl/README.Debian
>   - bug #26406 (just kidding)
> 
> all of which I checked, and they either don't exist (that first one) or 
> don't say to only put CA certs in /etc/ssl/certs.
> 
> And as noted above, ssl-cert puts the default snakeoil certs there—so 
> that's the path you see in, e.g., shipped config files. Which naturally 
> suggests to the admin that's where they belong.
> 

Really: Thanks: You describe *exactly* my line of thought, which lead me 
to my current location of local CAcert.org-issued certificates.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature


Reply to: