[Pkg-openssl-devel] Where should daemons put their RSA keyfiles?
Ian Beckwith
ianb at nessie.mcc.ac.uk
Sun May 28 19:33:54 UTC 2006
Hello openssl people.
Where should daemons store their RSA key files?
telnetd-ssl stores both cert and key in /etc/ssl/certs/telnetd.pem:
-rw-r----- 1 root telnetd-ssl 2103 Jul 13 2005 /etc/ssl/certs/telnetd.pem
but according to #368416, gnutls refuses to verify a remote certificate
once it hits an unreadable certificate in /etc/ssl/certs/.
So, I need to split the .pem file in telnetd-ssl postinst and move the
RSA key to somewhere else. Where would be best?
Is /etc/ssl/private/ appropriate or is that reserved for some other purpose?
Looking at my sid system, this would mean that the telnetd user would
have to be a member of the ssl-cert group. Would that cause any
problems, security or otherwise?
Would something under (for example) /etc/telnetd-ssl/ be a better location?
Alternatively, is the current situation ok and should I instead bug
the gnutls people to fix this behaviour?
It appears several other packages have this problem (from a quick
skim, at least bincimap, ejabberd, linux-ftpd-ssl, sslwrap and
uw-imap) When I find out what the right thing to do is, I'll file
bugs on those packages.
Thanks for any advice.
regards,
Ian.
--
Ian Beckwith - ianb at nessie.mcc.ac.uk - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA
More information about the Pkg-openssl-devel
mailing list