Home / server / Questions / 62496
Accepted
John Topley
Asked: 2009-09-05 07:57:12 +0800 CST

SSL Certificate Location on UNIX/Linux

  • 772

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?

linux unix filesystems ssl ssl-certificate

5 Answers

  1. Best Answer

    For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

    If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

    • 130

  2. This is where Go looks for public root certificates:

    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux

    Also:

    "/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD
"/var/ssl/certs",               // AIX
    • 105

  3. This will vary from distribution to distribution. For example, on Amazon Linux instances (based on RHEL 5.x and parts of RHEL6, and compatible with CentOS), the certificates are stored in /etc/pki/tls/certs and the keys are stored in /etc/pki/tls/private. The CA certificates have their own directory, /etc/pki/CA/certs and /etc/pki/CA/private. For any given distribution, especially on hosted servers, I recommend to follow the already-available directory (and permissions) structure, if one is available.

    • 21

  4. Ubuntu uses /etc/ssl/certs. It also has the command update-ca-certificates which will install certificates from /usr/local/share/ca-certificates.

    So installing your custom certificates in /usr/local/share/ca-certificates and running update-ca-certificates seems to be recommended.

    http://manpages.ubuntu.com/manpages/latest/man8/update-ca-certificates.8.html

    • 9

  5. If you are looking for a certificate used by your Tomcat instance

    1. Open the server.xml file
    2. Search for SSL/TLS connector
    3. See keystoreFile attribute that contains the path to keystore file.

    It looks like

    <Connector
    protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />
    • -1