Linux – SSL Certificate Location on UNIX/Linux

filesystemslinuxsslssl-certificateunix

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?

Best Answer

For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

Related Solutions

Linux – Meaning of directories on Unix and Unix like systems

For more data on the layout of Linux file-systems, look at the Filesystem Hierarchy Standard (now at version 2.3, with the beta 3.0 version deployed on most recent distros). It does explain some of where the names came from:

/bin - Binaries.
/boot - Files required for booting.
/dev - Device files.
/etc - Et cetera. The name is inherited from the earliest Unixes, which is when it became the spot to put config-files.
/home - Where home directories are kept.
/lib - Where code libraries are kept.
/media - A more modern directory, but where removable media gets mounted.
/mnt - Where temporary file-systems are mounted.
/opt - Where optional add-on software is installed. This is discrete from /usr/local/ for reasons I'll get to later.
/run - Where runtime variable data is kept.
/sbin - Where super-binaries are stored. These usually only work with root.
/srv - Stands for "serve". This directory is intended for static files that are served out. /srv/http would be for static websites, /srv/ftp for an FTP server.
/tmp - Where temporary files may be stored.
/usr - Another directory inherited from the Unixes of old, it stands for "UNIX System Resources". It does not stand for "user" (see the Debian Wiki). This directory should be sharable between hosts, and can be NFS mounted to multiple hosts safely. It can be mounted read-only safely.
/var - Another directory inherited from the Unixes of old, it stands for "variable". This is where system data that varies may be stored. Such things as spool and cache directories may be located here. If a program needs to write to the local file-system and isn't serving that data to someone directly, it'll go here.

/opt vs /usr/local

The rule of thumb I've seen is best described as:

Use /usr/local for things that would normally go into /usr, or are overriding things that are already in /usr. Use /opt for things that install all in one directory, or are otherwise special.

Ssh – How to change the private key passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

Best Answer

Related Solutions

Linux – Meaning of directories on Unix and Unix like systems

Ssh – How to change the private key passphrase

Related Topic