Hi, I'm currently wondering where the "correct" location is in Leap 42.1 to save server certificates and keys. I think I heard that /etc/ssl/certs is not to be used because updates might overwrite the content. So I saved both into /etc/ssl/private but quickly ran into another issue. /etc/ssl/private is only readable by root. I need in this case access for "ldap" to read the key and certificate and used setfacl to give read access to that user. Now apparently the openssl update which came in changed the directory permissions again so that ldap couldn't access /etc/ssl/private anymore. Therefore the simple question: Somebody must have thought about where to save those certificates and how to secure access to them. Any pointer? Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
/etc/ssl/certs is depreciated and is now a softlink to
/var/lib/ca-certificates/pem, updates will not clobber any files you
place underneath it. CA certificates should be placed under
/etc/pki/trust/anchors. I've always dropped both my cert(mode 0644)
and key(mode 0600), owned by root, into /etc/ssl/certs or
/var/lib/ca-certificates/pem.
Are you requiring client certificates for connecting to your LDAP
server, otherwise I don't see why you'd need a client cert&key on the
client hosts? If you're not requiring client certs then the only
requirement for LDAPS would be installing and trusting the CA
certificate that signed the LDAP servers keypair on any system/service
connecting to LDAPS.
Also, after installing your certificates into either of the
aforementioned locations you should run update-ca-certificates to
create the openssl subject hash for your CA certificates.
--
Later,
Darin
On Fri, May 6, 2016 at 11:37 AM, Wolfgang Rosenauer
Hi,
I'm currently wondering where the "correct" location is in Leap 42.1 to save server certificates and keys. I think I heard that /etc/ssl/certs is not to be used because updates might overwrite the content. So I saved both into /etc/ssl/private but quickly ran into another issue. /etc/ssl/private is only readable by root. I need in this case access for "ldap" to read the key and certificate and used setfacl to give read access to that user. Now apparently the openssl update which came in changed the directory permissions again so that ldap couldn't access /etc/ssl/private anymore.
Therefore the simple question: Somebody must have thought about where to save those certificates and how to secure access to them.
Any pointer?
Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to /var/lib/ca-certificates/pem, updates will not clobber any files you place underneath it. CA certificates should be placed under /etc/pki/trust/anchors. I've always dropped both my cert(mode 0644) and key(mode 0600), owned by root, into /etc/ssl/certs or /var/lib/ca-certificates/pem.
Are you requiring client certificates for connecting to your LDAP server, otherwise I don't see why you'd need a client cert&key on the client hosts? If you're not requiring client certs then the only requirement for LDAPS would be installing and trusting the CA certificate that signed the LDAP servers keypair on any system/service connecting to LDAPS.
I am the LDAP server in that case. I mean I could just always mimic what YaST's ca management does and create /etc/ssl/servercerts which is not touched by anything. I wasn't just sure if that is really the right way. (I know there are thousand ways anyway.) Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to /var/lib/ca-certificates/pem, updates will not clobber any files you place underneath it.
For testing I have no copied the intermediate certs I need for my cert into /etc/ssl/certs
Also, after installing your certificates into either of the aforementioned locations you should run update-ca-certificates to create the openssl subject hash for your CA certificates.
after running update-ca-certificates the copied file was gone. Therefore no, updates _will_ clobber any files I place in /etc/ssl/certs. So where to place them instead? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 6 May 2016 20:02, Wolfgang Rosenauer wrote:
Hi,
Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to /var/lib/ca-certificates/pem, updates will not clobber any files you place underneath it.
For testing I have no copied the intermediate certs I need for my cert into /etc/ssl/certs
Also, after installing your certificates into either of the aforementioned locations you should run update-ca-certificates to create the openssl subject hash for your CA certificates.
after running update-ca-certificates the copied file was gone.
Therefore no, updates _will_ clobber any files I place in /etc/ssl/certs. So where to place them instead?
Urgs! (Circular Reasoning leads to nothing.) NEW Location (dir): "/etc/pki/trust/anchors/" INFO: "tail /usr/lib/ca-certificates/update.d/80etc_ssl.run" Found by reading "/usr/sbin/update-ca-certificates" - Yamaban -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
06.05.2016 21:20, Yamaban пишет:
On Fri, 6 May 2016 20:02, Wolfgang Rosenauer wrote:
Hi,
Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to /var/lib/ca-certificates/pem, updates will not clobber any files you place underneath it.
For testing I have no copied the intermediate certs I need for my cert into /etc/ssl/certs
Also, after installing your certificates into either of the aforementioned locations you should run update-ca-certificates to create the openssl subject hash for your CA certificates.
after running update-ca-certificates the copied file was gone.
Therefore no, updates _will_ clobber any files I place in /etc/ssl/certs. So where to place them instead?
Urgs! (Circular Reasoning leads to nothing.)
NEW Location (dir): "/etc/pki/trust/anchors/"
INFO: "tail /usr/lib/ca-certificates/update.d/80etc_ssl.run" Found by reading "/usr/sbin/update-ca-certificates"
Oh, oh, this seems to finally became completely confusing ... So some points. 1. update-ca-certificates is for management of CA certificates *ONLY*. It is *NOT* for managing your own server certificates. 2. /var/lib/ca-certificates/pem is maintained by update-ca-certificates and always contains copy of *CA* certificates known to pk11-kit. Any extra content is removed from there. Placing *server* certificate in this directory makes no sense. 3. If /etc/ssl/certs is not link to /var/lib/ca-certificates/pem, update-ca-certs places links to individual files in /var/lib/ca-certificates/pem in this directory. In this case extra content is not removed (unless it is a dangling link). Once again. this directory is for *CA* certificates *only*. 4. The source for /var/lib/ca-certificates/pem is indeed /usr/share/pkg or /etc/pki. Should I once more repeat, this is for CA certificates only? 5. Finally /var/lib/ca-certifcates/pem is not used by itself by anything; it exists only as target for links in /etc/ssl/certs. And only applications that actually use /etc/ssl/certs directory will be affected. Obligatory note - only CA certificates here ... Now, when creating self-signed certificate, this certificate actually serves as both CA and server. So you /may/ install this certificate in /etc/pki/anchors and run update-ca-certificates; but you *still* need to a) configure your application to use one of central locations (managed by update-ca-certificates) to look up CA certificates; b) install generated certificate (both private and public part) in location accessible to your application as server certificate. For the latter no "standard" place really exist. It is completely up to you to manage them. If you use YaST module for LDAP server configuration, it will add ACLs on private part (i.e. key) but you still must make sure that path is accessible to ldap user. It may be possible to use common server certificate; YaST installs it into /etc/ssl/servercert. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov
-
Darin Perusich
-
Wolfgang Rosenauer
-
Yamaban