This page describes how to manage certificates consistently and easily between packages providing encrypted connections through SSL.


Many services provided encrypted connections, either through a dedicated port (SSL), or through standard port with on-demand encryption (TLS). In both case, the service requires a secret key and a public certificate. Depending of the upstream packaging, software may come with ready-to-use example configuration file to generate those, dedicated scripts, and dedicated procedure to create those files. The goal of this policy is to ensure consistency on several issues:


Содержание

Specification

Generation

SSL certificates should be created on initial package installation only.


Location

They are basically three kind of files involved

Configuration file has no usage once certificate created. Moreover, as the goal of this policy is to use standard content, there ins't much interest of keeping them for reference. As a consequence, they can be discarded.

public certificate has to be located in /etc/pki/tls/certs, be named after the services it is used for, using .pem extension, with standard permissions. Exemple:

644 root root /etc/pki/tls/certs/ldap.pem

private key has to be located in /etc/pki/tls/private be named after the services it is used for, using .pem extension, with restricted permissions: 600 if the service runs under root uid, 640 if the service runs under another id. Exemple:

640 root ldap /etc/pki/tls/certs/ldap.pem


Content

The goal is to enforce uniform description, key length, among various service, allowing further user-definable configuration.

Here is a standardized configuration:

default_bits            = 1024
encrypt_key             = no
prompt                  = no
distinguished_name      = req_dn
req_extensions          = req_ext

[ req_dn ] 
commonName              = $host
organizationalUnitName  = default $service certificate for $host
emailAddress            = root@$host

[ req_ext ]
basicConstraints        = CA:FALSE


Implementation

rpm-helper 0.19 includes a ssl configuration script. Here is how to use it:

%post
%create_ssl_certificate <service> [bundle mode] [group]

It will create a suited configuration file on the fly, using user-defined configuration, create certificates, and then discard configuration file.

Beside service name, additional options may be given:


Idea.png
Примечание
This Policy is based on the Mandriva SSL Certificates Policy.