Re: server certificates/key pairs and CA directories

To: debian-devel@lists.debian.org
Subject: Re: server certificates/key pairs and CA directories
From: Thorsten Glaser <t.glaser@tarent.de>
Date: Tue, 21 Jul 2015 16:50:42 +0000 (UTC)
Message-id: <[🔎] loom.20150721T184836-923@post.gmane.org>
References: <[🔎] 55965143.1070103@pocock.pro>

Daniel Pocock <daniel <at> pocock.pro> writes:

> I looked at the package ssl-cert to try and understand and there I found
> that it is using /etc/ssl/certs for server certs while other packages

Do NOT do that.

It’s causing trouble because some software (e.g. Gajim) reads all files
under /etc/ssl/certs/ not just the hashed ones – presumably because
OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS
keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both).

My suggestion is:

/etc/ssl/private/foo.key  ← 0640 root:ssl-cert, secret key
/etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH
parameters
/etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root
certificate

Then make sure to use the same “foo”.

bye,
//mirabilos

Reply to:

References:
- server certificates/key pairs and CA directories
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Bug#793140: ITP: golang-github-odeke-em-cli-spinner -- Simple spinner library for command line
Next by Date: Re: Huge data files in Debian
Previous by thread: server certificates/key pairs and CA directories
Next by thread: Bug#790971: ITP: ruby-redis-actionpack -- Redis session store for ActionPack
Index(es):
- Date
- Thread