Quoting Anthony DeRobertis (2015-11-20 03:06:20) > On 08/05/2015 07:11 AM, Thorsten Glaser wrote: >> Bas Wijnen <wijnen <at> debian.org> writes: >> >>> Certificates are placed in /etc/ssl/certs/. >> No, in /etc/ssl. /etc/ssl/certs/ is for Root CA certificates *only*. > > (sorry for responding to a very old message)
Thanks for doing so. > Really? I've often put the local machine's cert(s) in there. The private > key goes in private, and the certificate in certs. > > That's also how, for example, the autogenerated snakeoil cert works. > That's where make-ssl-cert puts it. > > If this isn't how its supposed to be used, that's surprising, and > especially if its actually a security issue, ought to be documented in > at least one of: > > - a README in /etc/ssl/ or /etc/ssl/certs > - man update-ca-certificates > - /usr/share/doc/ca-certificates/README.Debian > - /usr/share/doc/openssl/README.Debian > - bug #26406 (just kidding) > > all of which I checked, and they either don't exist (that first one) or > don't say to only put CA certs in /etc/ssl/certs. > > And as noted above, ssl-cert puts the default snakeoil certs thereāso > that's the path you see in, e.g., shipped config files. Which naturally > suggests to the admin that's where they belong. > Really: Thanks: You describe *exactly* my line of thought, which lead me to my current location of local CAcert.org-issued certificates. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature