Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Re: certifcates
06.05.2016 21:20, Yamaban пишет:
On Fri, 6 May 2016 20:02, Wolfgang Rosenauer wrote:


Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to
/var/lib/ca-certificates/pem, updates will not clobber any files you
place underneath it.

For testing I have no copied the intermediate certs I need for my cert
into /etc/ssl/certs

Also, after installing your certificates into either of the
aforementioned locations you should run update-ca-certificates to
create the openssl subject hash for your CA certificates.

after running update-ca-certificates the copied file was gone.

Therefore no, updates _will_ clobber any files I place in
/etc/ssl/certs. So where to place them instead?

Urgs! (Circular Reasoning leads to nothing.)

NEW Location (dir): "/etc/pki/trust/anchors/"

INFO: "tail /usr/lib/ca-certificates/update.d/"
Found by reading "/usr/sbin/update-ca-certificates"

Oh, oh, this seems to finally became completely confusing ...

So some points.

1. update-ca-certificates is for management of CA certificates *ONLY*.
It is *NOT* for managing your own server certificates.

2. /var/lib/ca-certificates/pem is maintained by update-ca-certificates
and always contains copy of *CA* certificates known to pk11-kit. Any
extra content is removed from there. Placing *server* certificate in
this directory makes no sense.

3. If /etc/ssl/certs is not link to /var/lib/ca-certificates/pem,
update-ca-certs places links to individual files in
/var/lib/ca-certificates/pem in this directory. In this case extra
content is not removed (unless it is a dangling link). Once again. this
directory is for *CA* certificates *only*.

4. The source for /var/lib/ca-certificates/pem is indeed /usr/share/pkg
or /etc/pki. Should I once more repeat, this is for CA certificates only?

5. Finally /var/lib/ca-certifcates/pem is not used by itself by
anything; it exists only as target for links in /etc/ssl/certs. And only
applications that actually use /etc/ssl/certs directory will be
affected. Obligatory note - only CA certificates here ...

Now, when creating self-signed certificate, this certificate actually
serves as both CA and server. So you /may/ install this certificate in
/etc/pki/anchors and run update-ca-certificates; but you *still* need to

a) configure your application to use one of central locations (managed
by update-ca-certificates) to look up CA certificates;

b) install generated certificate (both private and public part) in
location accessible to your application as server certificate.

For the latter no "standard" place really exist. It is completely up to
you to manage them. If you use YaST module for LDAP server
configuration, it will add ACLs on private part (i.e. key) but you still
must make sure that path is accessible to ldap user. It may be possible
to use common server certificate; YaST installs it into /etc/ssl/servercert.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >