SSL certificates policy
SSL certificates should be created on initial package installation only.
They are basically three kind of files involved
- configuration files
- public certificate
- private key
Configuration file has no usage once certificate created. Moreover, as the goal of this policy is to use standard content, there ins't much interest of keeping them for reference. As a consequence, they can be discarded.
public certificate has to be located in /etc/pki/tls/certs, be named after the services it is used for, using .pem extension, with standard permissions. Exemple:
644 root root /etc/pki/tls/certs/ldap.pem
private key has to be located in /etc/pki/tls/private be named after the services it is used for, using .pem extension, with restricted permissions: 600 if the service runs under root uid, 640 if the service runs under another id. Exemple:
640 root ldap /etc/pki/tls/certs/ldap.pem
The goal is to enforce uniform description, key length, among various service, allowing further user-definable configuration.
Here is a standardized configuration:
default_bits = 1024 encrypt_key = no prompt = no distinguished_name = req_dn req_extensions = req_ext [ req_dn ] commonName = $host organizationalUnitName = default $service certificate for $host emailAddress = root@$host [ req_ext ] basicConstraints = CA:FALSE
rpm-helper 0.19 includes a ssl configuration script. Here is how to use it:
%post %create_ssl_certificate <service> [bundle mode] [group]
It will create a suited configuration file on the fly, using user-defined configuration, create certificates, and then discard configuration file.
Beside service name, additional options may be given:
- bundle mode, if set to "true", will create a unique file containing both certificate and key
- group, if set, will make the key readable by this group