Date: Fri, 2 Dec 2016 17:02:37 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Where to put PKI keys? Message-ID: <30083442-eb77-18bd-6bf3-1de686775af3@FreeBSD.org> In-Reply-To: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca> References: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HpsPVGU4KjCMtdWPlIt11xpVjsKhsqDbd Content-Type: multipart/mixed; boundary="PIFB21ELjjO5HnejMw717Mlogm4Anjh5k"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <30083442-eb77-18bd-6bf3-1de686775af3@FreeBSD.org> Subject: Re: Where to put PKI keys? References: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca> In-Reply-To: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca> --PIFB21ELjjO5HnejMw717Mlogm4Anjh5k Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 02/12/2016 16:07, James B. Byrne via freebsd-questions wrote: > FreeBSD-10.3 & 11.0 >=20 > We operate a private CA for our firm and its employees. We are also > in the process of moving from CentOS to FreeBSD. My experience > therefore is mostly RHEL based Linux. >=20 > On post RHEL-5 based systems PKI certificates and keys are maintained > in a central store called '/etc/pki/'. This is sub-divided according > to need but the primary place to find things relating to ssl/tls is > '/etc/pki/tls/certs/' and '/etc/pki/tls/private/'. >=20 > FreeBSD seems to follow the principal that packagers themselves will > define where their packages' keys and certs are kept. Which is > entirely understandable. But I am accustomed to looking in one place > for this sort of stuff. I have searched for references to FreeBSD on > this subject and have not found much. >=20 > My question is: Is there a recommended directory structure for > FreeBSD pertaining to centralised PKI storage? >=20 > I realise that I can just create '/etc/pki/tls/' or > '/usr/local/etc/pki/tls/' and manage things idiosyncratically, but if > their any existing convention covering this then I would like to > consider it. I note that '/usr/local/share/certs/' is used for the ca > bundle cert chain. Would '/usr/local/share/keys/' be considered an > acceptable place for keys? Your deductions are correct: there is no centrally mandated location for storing keys and certificates. About the closest thing is /usr/local/etc/ssl -- on the basis that is where the ca_root_nss package puts a link to its list of trusted CA certificates. /usr/local/share/certs is intended just as a holding area for the files the package installs; the place where other software should expect to find the CA certificate collection is /usr/local/etc/ssl. Except that to be really effective like that, CA certificates should be added as individual files and there should be a script to create links within that directory based on the certificate checksum. This would make it possible to add local certificates as trusted and still manage the default collection reasonably with pkg(8). Applications will have their own suggested locations for keys and certificates -- for instance sendmail in the base system uses /etc/mail/certs -- but you are at liberty to invent whatever scheme makes sense to you. This is a FreeBSD thing, often summarized in the mantra "tools, not policy." Meaning that it is FreeBSD's role to give you what you need to perform whatever task you want, but it is not FreeBSD's role to force you into doing that task in any particular way. This does mean that you still have some work to do once you've installed an application in order to make it work properly. That's good for advanced users who probably have all sorts of configuration systems all set to generate config files, but not so good for the beginners. So, sure -- if you want to create a centralized /usr/local/etc/pkg/tli directory heirarchy, please go right ahead. Cheers, Matthew --PIFB21ELjjO5HnejMw717Mlogm4Anjh5k-- --HpsPVGU4KjCMtdWPlIt11xpVjsKhsqDbd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYQak1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATgYEQAKOYh7TCIe3cZT9yAQozr84O yzggl44SqEX5IA3YYIdWn2s50QkyO7T8GgmjLygqJrtqabPOuKWcfdMjEL2GWbWH hglMlrvNUOpnTbKDatj6tCAQXzyevX1WH4H/Kxk79/1FHddEi/1BG4lk8flsXT3p fmIEauRjXi1/IBmD3rL6RHZd9uHkd9CGRYE8UZuBTnelAmW9USXcFcm7txoGTlmv L0H6rwQmh+30OK+dUrzfDdSmG9U8g+Wevxs2FvqtvkXADMh79YZXnWEJvD6SwGKa xpFISOuP0DsY20uSzhlhv2gcsFzAunSSevV7ZcSkHbPPeboDe7vKm+kvFpiwDN1I ZZLK6W45ocr6jy2mCku5SWyf7GVdO0xz3eAgJn23hp2qNhHgaw2ovz/ZatAuzqRa ZTzQ0Ee8HzFLy+Nfjarv8tZGDRE9uHv6OqGdOzCv657YHGvlYPTJYjowdspbfuTk JsLmDq/NxoT1A3nQC8A139BmOM8/TuEif0URq1rPCuW0QlR+yW98CShDMs1lXQqe nl4eb3HoEP0bBn6HPW6ov5lMbav61z57/opq394C7VscgxvqKIN0pwt1NlTrcrfh I+wFfwx0pxXE5yR4qWYsKG6s2ndMpmMddKr0rB1UR73B9tPMx+h4M7UlFChES0FU aRjhtephSuAwdFFe5+BM =Q953 -----END PGP SIGNATURE----- --HpsPVGU4KjCMtdWPlIt11xpVjsKhsqDbd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30083442-eb77-18bd-6bf3-1de686775af3>