From owner-freebsd-questions@freebsd.org Fri Dec 2 16:07:58 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6057DC63FCA for ; Fri, 2 Dec 2016 16:07:58 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "inet08.hamilton.harte-lyne.ca", Issuer "CA HLL ISSUER 01" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3478A12DF for ; Fri, 2 Dec 2016 16:07:57 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 6CC0C620D4 for ; Fri, 2 Dec 2016 11:07:50 -0500 (EST) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jjmc5y7HM8df for ; Fri, 2 Dec 2016 11:07:48 -0500 (EST) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id B4D42620D2 for ; Fri, 2 Dec 2016 11:07:47 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca; s=dkim_hll; t=1480694867; bh=YERCB0SNSGQXMBLLsYFulyHyR0kXo7xJR/aCek9h+4s=; h=Date:Subject:From:To:Reply-To; b=p4TLx2V1RuUM25gnQQtC0308c2H2I37uKz7YzElf6pNG08hrfNfjS000xNu6YRQBx fRei3Mwb5p6hqLXcmI+L20YcsHbdapN8AH6IS0DjzTiiL9+Mc2lFpef6oXnvajOBbw g4ExpPfgDXpG5DR9tpClgsuP2kQYwhLWUxZHcP2mYUR6GgT7iZT4iSD0E5hqySbUsO TSRDNh10N9Y28L7GChzAXMkqZkKCjkE+fN45ekD96wekKLEJrdfpOFrYshJjC25HVN WtxdJAdUbUDXaA2M0Qb9oWPLzIC163bCbXUQGJ0Z2XhMTI50z5YP5ezc+l6MQ3GxR/ Ejy8cdUbhkOKQ== Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Fri, 2 Dec 2016 11:07:47 -0500 Message-ID: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca> Date: Fri, 2 Dec 2016 11:07:47 -0500 Subject: Where to put PKI keys? From: "James B. Byrne" To: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2016 16:07:58 -0000 FreeBSD-10.3 & 11.0 We operate a private CA for our firm and its employees. We are also in the process of moving from CentOS to FreeBSD. My experience therefore is mostly RHEL based Linux. On post RHEL-5 based systems PKI certificates and keys are maintained in a central store called '/etc/pki/'. This is sub-divided according to need but the primary place to find things relating to ssl/tls is '/etc/pki/tls/certs/' and '/etc/pki/tls/private/'. FreeBSD seems to follow the principal that packagers themselves will define where their packages' keys and certs are kept. Which is entirely understandable. But I am accustomed to looking in one place for this sort of stuff. I have searched for references to FreeBSD on this subject and have not found much. My question is: Is there a recommended directory structure for FreeBSD pertaining to centralised PKI storage? I realise that I can just create '/etc/pki/tls/' or '/usr/local/etc/pki/tls/' and manage things idiosyncratically, but if their any existing convention covering this then I would like to consider it. I note that '/usr/local/share/certs/' is used for the ca bundle cert chain. Would '/usr/local/share/keys/' be considered an acceptable place for keys? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3