Well, you can't put them on a shared drive unless you are very careful with perms on the .key files, no?
-- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration John Hebert wrote: > 1. We keep our certs in an application-specific area > (/app/tomcat/conf/ssl.*), but then hosting that app is all we do with our > servers. If you have lots of apps on the server that need a cert, then put > them in a central location like /usr/shared/ssl/certs like you said. > > If you have lots of certs, you would probably want to store them centrally > and categorize them differently. Depends on the situation. > > BTW, you don't have to store certs for specific servers on the server itself. > They could all be put in a shared drive somewhere, as long as your app knows > where to find them. > > 2. Use a cert vendor that gives you better management tools for your certs. > We use Entrust.com, but then we don't manage more than a few dozen certs for > customers. Don't have much experience with the others. > > John Hebert > > ----- Original Message ---- > From: Dustin Puryear <dustin at puryear-it.com> > To: Sage Members <sage-members at sage.org>; general at brlug.net; nolug at > nolug.org > Sent: Monday, November 26, 2007 1:52:48 PM > Subject: [brlug-general] Where do you put your SSL files? > > > So, a little issue I see a lot is that SSL cert files seem to go > everywhere. I may see some under /var/shared/ssl/certs/, some under > application-specific directories (e.g., /etc/httpd/conf/ssl.*/, > /etc/ldap/), etc. > > What are your thoughts on: > > 1. Putting all certs under a standardized location, e.g., > /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for > a > little more security. > > 2. Keeping them in application-specific areas. > > Also, how are you keeping track of cert expiration? We usually get > emails from the SSL cert vendor about renewals, but.. >
