Date: Fri, 2 Dec 2016 11:58:00 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Matthew Seaman" <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: Where to put PKI keys? Message-ID: <49315.128.135.52.6.1480701480.squirrel@cosmo.uchicago.edu> In-Reply-To: <30083442-eb77-18bd-6bf3-1de686775af3@FreeBSD.org> References: <9b1e8b799dcc4a5ed49ef535e8abde69.squirrel@webmail.harte-lyne.ca> <30083442-eb77-18bd-6bf3-1de686775af3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, December 2, 2016 11:02 am, Matthew Seaman wrote: > On 02/12/2016 16:07, James B. Byrne via freebsd-questions wrote: >> FreeBSD-10.3 & 11.0 >> >> We operate a private CA for our firm and its employees. We are also >> in the process of moving from CentOS to FreeBSD. My experience >> therefore is mostly RHEL based Linux. >> >> On post RHEL-5 based systems PKI certificates and keys are maintained >> in a central store called '/etc/pki/'. This is sub-divided according >> to need but the primary place to find things relating to ssl/tls is >> '/etc/pki/tls/certs/' and '/etc/pki/tls/private/'. >> >> FreeBSD seems to follow the principal that packagers themselves will >> define where their packages' keys and certs are kept. Which is >> entirely understandable. But I am accustomed to looking in one place >> for this sort of stuff. I have searched for references to FreeBSD on >> this subject and have not found much. >> >> My question is: Is there a recommended directory structure for >> FreeBSD pertaining to centralised PKI storage? >> >> I realise that I can just create '/etc/pki/tls/' or >> '/usr/local/etc/pki/tls/' and manage things idiosyncratically, but if >> their any existing convention covering this then I would like to >> consider it. I note that '/usr/local/share/certs/' is used for the ca >> bundle cert chain. Would '/usr/local/share/keys/' be considered an >> acceptable place for keys? > > Your deductions are correct: there is no centrally mandated location for > storing keys and certificates. About the closest thing is > /usr/local/etc/ssl -- on the basis that is where the ca_root_nss package > puts a link to its list of trusted CA certificates. > /usr/local/share/certs is intended just as a holding area for the files > the package installs; the place where other software should expect to > find the CA certificate collection is /usr/local/etc/ssl. Except that > to be really effective like that, CA certificates should be added as > individual files and there should be a script to create links within > that directory based on the certificate checksum. This would make it > possible to add local certificates as trusted and still manage the > default collection reasonably with pkg(8). > > Applications will have their own suggested locations for keys and > certificates -- for instance sendmail in the base system uses > /etc/mail/certs -- but you are at liberty to invent whatever scheme > makes sense to you. > > This is a FreeBSD thing, often summarized in the mantra "tools, not > policy." Meaning that it is FreeBSD's role to give you what you need to > perform whatever task you want, but it is not FreeBSD's role to force > you into doing that task in any particular way. This does mean that you > still have some work to do once you've installed an application in order > to make it work properly. That's good for advanced users who probably > have all sorts of configuration systems all set to generate config > files, but not so good for the beginners. > > So, sure -- if you want to create a centralized /usr/local/etc/pkg/tli > directory heirarchy, please go right ahead. > Just to add to what Matthew said. I usually place certs into /etc/ssl/certs, and keys into /etc/ssl/private (making sure the last is readable by root only - even though the same is true about keys I place there). Choice of this location forces me to not forget to install ca_root_nss package. But as often I have services requiring certificates running one service per jail, then in these cases I place certificates just into place where config files for that service live, e.g.: /usr/local/etc/apache24 for jail with apache. This decision I made for myself by ruling out an alternative: placing certs some place on host system, and nullfs mounting into jails, as I figured some day I will run some daemon that will not know how to droppriv, so I will have to make key readable for his unprivileged user. I hope, this helps. Valeri > Cheers, > > Matthew > > > > > > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49315.128.135.52.6.1480701480.squirrel>