On Sat, Oct 15, 2011 at 11:41 AM, Bruce Dubbs <[email protected]> wrote: > Programs I can think of right now are browsers, ssh/scp, wget, curl, > pop3s, imaps, gnutls, bind, apache, vsftpd, ldap, cups, subversion, and > mysql. Many of these will use openssl as the underlying implementation, > but they may specify their own location for certificates. >
I haven't used redhat in years, so I looked up a little about /etc/pki to find out why they would go through the trouble of doing this. It looks like they essentially just plop all systemwide certificates in subdirectories here. Fedora draft: http://fedoraproject.org/wiki/PackagingDrafts/Certificates A few examples... /etc/pki/tls: appears to be the equivalent of /etc/ssl certificate content /etc/pki/openldap: for ldap related certificates. Other paths exist for each application specific certificate store Maybe there is merit to using /etc/pki that I've missed, but I'm not convinced that it's better. The only advantage I see is slightly easier permissions handling and management of certificates without hunting around /etc. Perhaps if /etc/pki had more widespread support I would feel differently. This only touches on the subject of system wide pki infrastructure as well; there are still all of the same issues involving user level pki stores which could theoretically be handled in a similar fashion. It's a neat idea but all support seems very specific to redhat. I'm even under the impression (but have been unable to find a source) that they have their own scripts that help in handling the infrastructure. I did stumble across a bunch of information from Mozilla on a related subject - /etc/pki/nssdb. I'm not sure if any other applications beyond Firefox care about this though. It doesn't even look like Firefox has it down to a science yet either. I'm going to read into this one more before bringing it up any further though. > > I guess we should go ahead and continue to use /etc/ssl/certs and handle > other situations as they come up as needed. > This is probably a lot easier. Once I get my machine fully updated I'll create a sandbox to play with this idea. I'm not sure if I'll follow the fedora draft 100% though since I don't entirely agree with it. Jonathan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
