SSL certificates policy

Материал из Rosalab Wiki
Перейти к: навигация, поиск
This page describes how to manage certificates consistently and easily between packages providing encrypted connections through SSL.


Many services provided encrypted connections, either through a dedicated port (SSL), or through standard port with on-demand encryption (TLS). In both case, the service requires a secret key and a public certificate. Depending of the upstream packaging, software may come with ready-to-use example configuration file to generate those, dedicated scripts, and dedicated procedure to create those files. The goal of this policy is to ensure consistency on several issues:

  • generation: when are those certificates generated
  • location: where to store involved files
  • content: what they should contains


Specification

Generation

SSL certificates should be created on initial package installation only.


Location

They are basically three kind of files involved

  • configuration files
  • public certificate
  • private key

Configuration file has no usage once certificate created. Moreover, as the goal of this policy is to use standard content, there ins't much interest of keeping them for reference. As a consequence, they can be discarded.

public certificate has to be located in /etc/pki/tls/certs, be named after the services it is used for, using .pem extension, with standard permissions. Exemple:

644 root root /etc/pki/tls/certs/ldap.pem

private key has to be located in /etc/pki/tls/private be named after the services it is used for, using .pem extension, with restricted permissions: 600 if the service runs under root uid, 640 if the service runs under another id. Exemple:

640 root ldap /etc/pki/tls/certs/ldap.pem


Content

The goal is to enforce uniform description, key length, among various service, allowing further user-definable configuration.

Here is a standardized configuration:

default_bits            = 1024
encrypt_key             = no
prompt                  = no
distinguished_name      = req_dn
req_extensions          = req_ext

[ req_dn ] 
commonName              = $host
organizationalUnitName  = default $service certificate for $host
emailAddress            = root@$host

[ req_ext ]
basicConstraints        = CA:FALSE


Implementation

rpm-helper 0.19 includes a ssl configuration script. Here is how to use it:

%post
%create_ssl_certificate <service> [bundle mode] [group]

It will create a suited configuration file on the fly, using user-defined configuration, create certificates, and then discard configuration file.

Beside service name, additional options may be given:

  • bundle mode, if set to "true", will create a unique file containing both certificate and key
  • group, if set, will make the key readable by this group

Замечание:
This Policy is based on the Mandriva SSL Certificates Policy.