Xhier Certificate Location

To see how this inclusion page fits in with similar ones, perhaps see one of

• CertMaintenanceCollapsed
• CertificateUpdates

---

Certificate Location under Xhier

IncludeCertLocationXhier

The great Xhier guru Patrick Matlock conceived that all applications configured under xhier should have a single location in which SSL certificates (and private keys) should be kept.

Therefore he created an sslCerts xhier package (which has had an only version sslCerts-1) under which certificates should be stored.

On xhiered systems, certificates should be placed in

       /software/sslCerts/config/certs/

and software configured to reference them from there.

Similarly private keys should be put in

       /software/sslCerts/config/certs/private/

with configuration set appropriately.

Note that, although one suspects the idea was that directory should be mode 700, it now tends to be 711 or worse, so you should make sure the individual files are not readable by world or inappropriate groups. (The search permission may be designed to allow daemons running as non-root to access individual key files?)

An automated process, part of the sslCerts packages, makes sure

       /software/sslCerts/config/certs/cacert.pem

contains the OrganizationSSL certificate.

Actually, I'm not certain IST updated the automated process when the intermediate certificate changed in 2011.

In general, xhiered software which requires certificates will by default refer to them in these locations.

-- AdrianPepper - 23 Sep 2011

---

IncludeAdrianReferers

Referers

This topic IncludeCertLocationXhier is referred to by...

• CertMaintenanceCollapsed
• CertificateUpdates