Where to place the common root CA certs

DJ Lucas dj at linuxfromscratch.org
Sat Mar 21 07:44:21 PDT 2009

Randy McMurchy wrote:
> Thomas Trepl wrote these words on 03/21/09 07:40 CST:
>> Hiho,
>> in chapter  "Root Certificates" there is a text saying that the certs should 
>> be placed in /etc/ssl/certs.
>> The following instructions do install them in /etc/ssl.
>> What's correct?
> What is shown on both the certs page and the OpenSSL page is correct.
> /etc/ssl/certs
> I'm not sure where you see them shown being installed into /etc/ssl.
Actually, I moved it into /etc/ssl, from /etc/ssl/certs after it was 
first introduced.  The CAPath should contain only single certificates, 
and symlinks to each by the hash value of the key (using c_rehash).  If 
you place the bundle into /etc/ssl/certs and run c_rehash, you'll have 
an invalid link, IIRC, for one of the Verisign certificates that points 
to the bundle, and that is why it was moved out of certs.

I did write a script to extract the individual pem files to populate 
CAPath if you like, it's posted on BLFS-dev, but I didn't really see the 
point of using it as OpenSSL's verify program behaves differently with 
the newer versions, requiring a specific CAPath or CAFile.  It might 
change if the path is populated at build time, but the invalid link 
would certainly be wrong, regardless of whether it happens to work or not. 

I do see an advantage to using the individual pem files (as done by 
Debian), in that removal of one or more certs is easier, and that makes 
regenerating the bundle easier (CVS not required, plus additional certs 
are automatically appended) for programs that don't allow for CAPath as 
opposed to CAFile.

-- DJ Lucas

This message has been scanned for viruses and
dangerous content, and is believed to be clean.

More information about the blfs-dev mailing list