Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] certifcates
/etc/ssl/certs is depreciated and is now a softlink to
/var/lib/ca-certificates/pem, updates will not clobber any files you
place underneath it. CA certificates should be placed under
/etc/pki/trust/anchors. I've always dropped both my cert(mode 0644)
and key(mode 0600), owned by root, into /etc/ssl/certs or
/var/lib/ca-certificates/pem.

Are you requiring client certificates for connecting to your LDAP
server, otherwise I don't see why you'd need a client cert&key on the
client hosts? If you're not requiring client certs then the only
requirement for LDAPS would be installing and trusting the CA
certificate that signed the LDAP servers keypair on any system/service
connecting to LDAPS.

Also, after installing your certificates into either of the
aforementioned locations you should run update-ca-certificates to
create the openssl subject hash for your CA certificates.
--
Later,
Darin


On Fri, May 6, 2016 at 11:37 AM, Wolfgang Rosenauer
<wolfgang@xxxxxxxxxxxxx> wrote:
Hi,

I'm currently wondering where the "correct" location is in Leap 42.1 to
save server certificates and keys.
I think I heard that /etc/ssl/certs is not to be used because updates
might overwrite the content.
So I saved both into /etc/ssl/private but quickly ran into another
issue. /etc/ssl/private is only readable by root. I need in this case
access for "ldap" to read the key and certificate and used setfacl to
give read access to that user.
Now apparently the openssl update which came in changed the directory
permissions again so that ldap couldn't access /etc/ssl/private anymore.

Therefore the simple question:
Somebody must have thought about where to save those certificates and
how to secure access to them.

Any pointer?


Thanks,
Wolfgang
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
References