1. We keep our certs in an application-specific area (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our servers. If you have lots of apps on the server that need a cert, then put them in a central location like /usr/shared/ssl/certs like you said.
If you have lots of certs, you would probably want to store them centrally and categorize them differently. Depends on the situation. BTW, you don't have to store certs for specific servers on the server itself. They could all be put in a shared drive somewhere, as long as your app knows where to find them. 2. Use a cert vendor that gives you better management tools for your certs. We use Entrust.com, but then we don't manage more than a few dozen certs for customers. Don't have much experience with the others. John Hebert ----- Original Message ---- From: Dustin Puryear <[EMAIL PROTECTED]> To: Sage Members <sage-members at sage.org>; general at brlug.net; nolug at nolug.org Sent: Monday, November 26, 2007 1:52:48 PM Subject: [brlug-general] Where do you put your SSL files? So, a little issue I see a lot is that SSL cert files seem to go everywhere. I may see some under /var/shared/ssl/certs/, some under application-specific directories (e.g., /etc/httpd/conf/ssl.*/, /etc/ldap/), etc. What are your thoughts on: 1. Putting all certs under a standardized location, e.g., /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for a little more security. 2. Keeping them in application-specific areas. Also, how are you keeping track of cert expiration? We usually get emails from the SSL cert vendor about renewals, but.. -- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration _______________________________________________ General mailing list General at brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
