> From: Alan Altmark <[email protected]> > Subject: openssl CA certificate maintenance > > I (think I) know that openSSL provides two ways to manage certificates: > 1. A single PEM file that has all of your CA certificates in it. I say > "single" as a > matter of practice. > 2. A single directory that contains all of the certificates stored in > separate > PEM files. You use the c_rehash utility each time you add or delete a > certificate to/from the directory. > I'm curious as to which way most people do it, and why.
Whenever possible, option 2. Some applications that try to be "smart" about certificates don't like this approach, but those seem to be getting rarer (yay). Option 1 has a high probability of human error, and if you break one, you break them all. It's also kind of a pain to determine what certs are installed where. Option 2 permits easily distributing and installing certificates using RPMs, which makes updating them (or removing them) a snap. It's also a lot easier to make sure that any necessary intermediate certificates get pulled in (package dependencies + something like yum work a treat) and it's super easy to know which systems are affected if a cert is compromised (rpm -qa |grep local-cert-xxxxx). It also makes it trivial to automate the c_rehash run in a post-install script so you don't ever forget to do it. It's a little more work to set up certificate distribution that way the first time, but it's worth it. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
