On 08/05/2015 07:11 AM, Thorsten Glaser wrote:
Bas Wijnen <wijnen <at> debian.org> writes:
Certificates are placed in /etc/ssl/certs/.
No, in /etc/ssl. /etc/ssl/certs/ is for Root CA certificates *only*.
(sorry for responding to a very old message)
Really? I've often put the local machine's cert(s) in there. The private
key goes in private, and the certificate in certs.
That's also how, for example, the autogenerated snakeoil cert works.
That's where make-ssl-cert puts it.
If this isn't how its supposed to be used, that's surprising, and
especially if its actually a security issue, ought to be documented in
at least one of:
- a README in /etc/ssl/ or /etc/ssl/certs
- man update-ca-certificates
- /usr/share/doc/ca-certificates/README.Debian
- /usr/share/doc/openssl/README.Debian
- bug #26406 (just kidding)
all of which I checked, and they either don't exist (that first one) or
don't say to only put CA certs in /etc/ssl/certs.
And as noted above, ssl-cert puts the default snakeoil certs thereāso
that's the path you see in, e.g., shipped config files. Which naturally
suggests to the admin that's where they belong.
