IncludeCertLocationXhier < CF

---+ Xhier Certificate Location
<!-- <pre>
    // IncludeCertLocationXhier
    // 
    // (Aside: TWiki H1 style is not nice)
    // 
    // This page was primarily designed for inclusion where necessary,
    // but might work well stand-alone, especially with the careful use of
    // the STARTINCLUDE and STOPINCLUDE "variables" which allow a header
    // and footer, although not generalized creation of differences in
    // included and non-included forms.
    // 
    // Note the line after STARTINCLUDE.
    // The CFADRIANGADGETINCLUDE variable renders as a link which 
    // makes it easy for a reader to get to the inclusion to edit it,
    // although the rendered presentation does not seem fully intuitive yet.
    //
</pre>-->
To see how this inclusion page fits in with similar ones, perhaps see one of
   * CertMaintenanceCollapsed
   * CertificateUpdates
---
<!-- Bah!  You don't seem to be able to have multiple STOP/STARTINCLUDE -->
%STARTINCLUDE%
---++ Certificate Location under Xhier
%CFADRIANGADGETINCLUDE%
    The great Xhier guru
    [[http://arts.uwaterloo.ca/~pmatlock/][Patrick Matlock]] conceived that all applications configured
    under xhier should have a single location in which SSL certificates
    (and private keys) should be kept.

    Therefore he created an sslCerts xhier package (which has had an
    only version sslCerts-1) under which certificates should be stored.

    On xhiered systems, certificates should be placed in
<pre>
       /software/sslCerts/config/certs/
</pre>
    and software configured to reference them from there.

    Similarly private keys should be put in
<pre>
       /software/sslCerts/config/certs/private/
</pre>
   with configuration set appropriately.

    Note that, although one suspects the idea was that directory should
    be mode 700, it now tends to be 711 or worse, so you should make sure
    the individual files are not readable by world or inappropriate groups.
    (The search permission may be designed to allow daemons running as
    non-root to access individual key files?)

    An automated process, part of the sslCerts packages, makes sure
<pre>
       /software/sslCerts/config/certs/cacert.pem
</pre>
    contains the OrganizationSSL certificate.

%TABLE{tableborder="0" cellpadding="10" databg="#DB8B8B" }%
|\
Actually, I'm not certain IST updated the automated process when the \
intermediate certificate changed in 2011. \
|

    In general, xhiered software which requires certificates will by
    default refer to them in these locations.

%STOPINCLUDE%

-- Main.AdrianPepper - 23 Sep 2011

---

%INCLUDE{CF.IncludeAdrianReferers}%
This topic: CF > CertMaintenanceCollapsed > IncludeCertUpdateCertificate > IncludeCertLocationXhier
Topic revision: r5 - 2011-09-29 - AdrianPepper