Public Key Infrastructure (PKI) =============================== General ------- Certificates are not (yet) widely used in Debian, so a typical packaging error is to purge certificates on package removal (without checking if the certificate was actially created by that package). A workaround is generous use of symlinks, so that buggy packages only remove the symlink. (Please send a bugreport to the Debian Bug Tracking System if you come across such a buggy package!) Hosts ----- Host certificates can be either self-signed or signed by a CA. The key can be either embedded into the same file as the certificate or in a separate file. The simplest form is a self-signed certificate with null-password embedded key. Some services (like SMTP TLS in server mode) requires certificate and key in separate files. Beware that adding password to host certificates may require you to manually start the services. Depending on the startup scripts it might even HANG THE STARTUP PROCESS OF THE SYSTEM! Self-signed host certificates contain both certificate and key in same file. CA signed host certificates have separate public (certificate) and private (key) files. The CN field of the certificate must be the hostname as accessed from clients. This means virtual hosting requires separate certificates for each hostname. Most daemons cannot handle multiple certificates, and thus do not support SSL/TLS virtual hosting. The certificate is placed in /etc/ssl/certs/ named by the hostname appended ".pem". If several certificates are used for same host then secondary certificates are additionally appended their (primary) service like this: "<hostname_<service>.pem". The key (if separate) is placed in /etc/ssl/private/ named similarly. Host certificate is symlinked from "/etc/ssl/certs/<service>.pem" for each service depending on the key, and the key (if separate) symlinked likewise from "/etc/ssl/private/<service>.pem". Example: /etc/ssl/certs/mail.jones.dk.pem /etc/ssl/certs/ldap.jones.dk.pem /etc/ssl/certs/imapd.pem -> mail.jones.dk.pem /etc/ssl/certs/ipop3d.pem -> mail.jones.dk.pem /etc/ssl/certs/postfix.pem -> mail.jones.dk.pem /etc/ssl/certs/slapd.pem -> ldap.jones.dk.pem /etc/ssl/private/mail.jones.dk.pem /etc/ssl/private/ldap.jones.dk.pem /etc/ssl/private/imapd.pem -> mail.jones.dk.pem /etc/ssl/private/ipop3d.pem -> mail.jones.dk.pem /etc/ssl/private/postfix.pem -> mail.jones.dk.pem /etc/ssl/private/slapd.pem -> ldap.jones.dk.pem The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. Certificates should be chmod'ed 0444 and keys 0400. Certificate Authority --------------------- CA Certificates are divided in a public certificate and a private key. The CA certificate is placed in /etc/ssl/certs/ and named loosely by the CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". CA key is located in /etc/ssl/private/ equally named. CA certificate is symlinked from "/etc/ssl/certs/cacert.pem" and the key symlinked from "/etc/ssl/private/cakey.pem" to ease locating by scripts. Example: /etc/ssl/certs/IT_guide_dr_Jones_CA.pem and /etc/ssl/certs/cacert.pem -> IT_guide_dr_Jones_CA.pem /etc/ssl/private/IT_guide_dr_Jones_CA.pem /etc/ssl/private/cakey.pem -> IT_guide_dr_Jones_CA.pem More info here: http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml Read here about confusion between commercial CAs and actual security: http://www.counterpane.com/pki-risks.html Like with hosts, certificates should be chmod'ed 0444 and keys 0400. Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml The script is at /usr/share/local/mycert, adapted to Debian GNU/Linux. TODO ---- Check if possible to use CN=*.my.domain -- $Id: Certificates.txt,v 1.5 2003-01-14 18:42:01 jonas Exp $