Where to place the common root CA certs
dj at linuxfromscratch.org
Sat Mar 21 07:44:21 PDT 2009
Randy McMurchy wrote:
> Thomas Trepl wrote these words on 03/21/09 07:40 CST:
>> in chapter "Root Certificates" there is a text saying that the certs should
>> be placed in /etc/ssl/certs.
>> The following instructions do install them in /etc/ssl.
>> What's correct?
> What is shown on both the certs page and the OpenSSL page is correct.
> I'm not sure where you see them shown being installed into /etc/ssl.
Actually, I moved it into /etc/ssl, from /etc/ssl/certs after it was
first introduced. The CAPath should contain only single certificates,
and symlinks to each by the hash value of the key (using c_rehash). If
you place the bundle into /etc/ssl/certs and run c_rehash, you'll have
an invalid link, IIRC, for one of the Verisign certificates that points
to the bundle, and that is why it was moved out of certs.
I did write a script to extract the individual pem files to populate
CAPath if you like, it's posted on BLFS-dev, but I didn't really see the
point of using it as OpenSSL's verify program behaves differently with
the newer versions, requiring a specific CAPath or CAFile. It might
change if the path is populated at build time, but the invalid link
would certainly be wrong, regardless of whether it happens to work or not.
I do see an advantage to using the individual pem files (as done by
Debian), in that removal of one or more certs is easier, and that makes
regenerating the bundle easier (CVS not required, plus additional certs
are automatically appended) for programs that don't allow for CAPath as
opposed to CAFile.
-- DJ Lucas
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
More information about the blfs-dev