Public Key Infrastructure (PKI) =============================== Hosts ----- Host certificates can be either self-signed or signed by a CA. The private key can be either embedded into the same file as the certificate or in a separate file. The simplest form is a self-signed certificate with null-password embedded key. Self-signed host certificates contain both certificate and key in same file. The file is placed in /etc/ssl/certs/ named by the service it provides appended ".pem". CA signed host certificates , or symlinked with that name from hostname.key or whatever makes best sense in the situation, either with the key embedded or the key at the same place. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. Certificate Authority --------------------- CA Certificates are divided in a public certificate and a private key. The CA certificate is placed in /etc/ssl/certs/ and named loosely by the CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". Example: IT_guide_dr_Jones_CA.pem CA Key is located in /etc/ssl/private/ equally named. Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy locating by scripts. Read here about confusion between commercial CAs and actual security: http://www.counterpane.com/pki-risks.html Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. -- $Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $