On 04/02/2012 12:48 PM, Russ Allbery wrote: > Bill Allombert <bill.allomb...@math.u-bordeaux1.fr> writes: > >> Another issue is that no directories is provided for the system >> administrator to put their local certs. Of course they can use >> /etc/ssl/certs, but then the certs are drowned by the number. > > ca-certificates supports putting local certificates into > /usr/local/share/ca-certificates, after which they're treated as trusted > certificates and linked into /etc/ssl/certs similar to how the > certificates in /usr/share/ca-certificates are handled.
There are (at least) two classes of "local certs" -- this is the core of
all of this confusion.
0) there are certificate authority certs that the admin wants to rely
on for certification.
1) there are certs used to identify TLS-capable services on the machine
2) (additionally, there are potentially intermediate certificates that
chain back from the certs in class 1 -- these are needed for regular
operation if certs in class 1 was not issued directly by a root authority).
The ca-certificates package suggests /usr/local/share/ca-certificates/
as the correct place for certs in class 0.
Secret keys (not certs) for TLS-capable services are usually suggested
to be placed in /etc/ssl/private.
But (AFAIK) there aren't any well-documented/clear/commonly-held
standards for where certs in classes 1 and 2 should be placed.
I think it would ease administration (and make it easier for various
debian-knowledgable admins to help each other) if there was such a standard.
--dkg
signature.asc
Description: OpenPGP digital signature
