[brlug-general] Where do you put your SSL files?

John Hebert johnahebert at yahoo.com
Mon Nov 26 14:44:45 CST 2007 

1. We keep our certs in an application-specific area (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our servers. If you have lots of apps on the server that need a cert, then put them in a central location like /usr/shared/ssl/certs like you said.

If you have lots of certs, you would probably want to store them centrally and categorize them differently. Depends on the situation.

BTW, you don't have to store certs for specific servers on the server itself. They could all be put in a shared drive somewhere, as long as your app knows where to find them.

2. Use a cert vendor that gives you better management tools for your certs. We use Entrust.com, but then we don't manage more than a few dozen certs for customers. Don't have much experience with the others.

John Hebert

----- Original Message ----
From: Dustin Puryear <dustin at puryear-it.com>
To: Sage Members <sage-members at sage.org>; general at brlug.net; nolug at nolug.org
Sent: Monday, November 26, 2007 1:52:48 PM
Subject: [brlug-general] Where do you put your SSL files?


So, a little issue I see a lot is that SSL cert files seem to go
everywhere. I may see some under /var/shared/ssl/certs/, some under
application-specific directories (e.g., /etc/httpd/conf/ssl.*/,
/etc/ldap/), etc.

What are your thoughts on:

1. Putting all certs under a standardized location, e.g.,
/usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for
 a
little more security.

2. Keeping them in application-specific areas.

Also, how are you keeping track of cert expiration? We usually get
emails from the SSL cert vendor about renewals, but..

-- 
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices

Identity Management, LDAP, and Linux Integration

_______________________________________________
General mailing list
General at brlug.net
http://mail.brlug.net/mailman/listinfo/general_brlug.net





      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the General mailing list