/etc/ssl/certs is depreciated and is now a softlink to
/var/lib/ca-certificates/pem, updates will not clobber any files you
place underneath it. CA certificates should be placed under
/etc/pki/trust/anchors. I've always dropped both my cert(mode 0644)
and key(mode 0600), owned by root, into /etc/ssl/certs or
/var/lib/ca-certificates/pem.
Are you requiring client certificates for connecting to your LDAP
server, otherwise I don't see why you'd need a client cert&key on the
client hosts? If you're not requiring client certs then the only
requirement for LDAPS would be installing and trusting the CA
certificate that signed the LDAP servers keypair on any system/service
connecting to LDAPS.
Also, after installing your certificates into either of the
aforementioned locations you should run update-ca-certificates to
create the openssl subject hash for your CA certificates.
--
Later,
Darin
On Fri, May 6, 2016 at 11:37 AM, Wolfgang Rosenauer
Hi,
I'm currently wondering where the "correct" location is in Leap 42.1 to save server certificates and keys. I think I heard that /etc/ssl/certs is not to be used because updates might overwrite the content. So I saved both into /etc/ssl/private but quickly ran into another issue. /etc/ssl/private is only readable by root. I need in this case access for "ldap" to read the key and certificate and used setfacl to give read access to that user. Now apparently the openssl update which came in changed the directory permissions again so that ldap couldn't access /etc/ssl/private anymore.
Therefore the simple question: Somebody must have thought about where to save those certificates and how to secure access to them.
Any pointer?
Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org