Once upon a time, Axel Thimm <Axel.Thimm@xxxxxxxxxx> said: > Indeed, I always wondered why the certificates had been put under > /usr/share/ssl and by whom. The FHS had been quite strict on this from > the very beginning. > > /etc seems a rather sane place. Perhaps /etc/ssl/? You'll need to modify OpenSSL to handle multiple "default" directories. Currently I think you can only specify a single directory for certs (the certs setting under the CA_default section in openssl.cnf). Applications use OpenSSL calls to validate the cert chain, so it'll need to look in the local directory (/etc/ssl/certs) first and then the other directory (/usr/share/ssl/certs) when walking the cert chain. The crl directory should be similar (so you can add local revocations). What may be a good idea is to have "well known" names for services, like /etc/ssl/certs/imap, /etc/ssl/certs/smtp, etc. Then you could configure sendmail for example to use /etc/ssl/certs/smtp. The admin can choose which cert to use for SSL by symlinking /etc/ssl/certs/smtp to /etc/ssl/certs/mycert.pem (without having to reconfigure sendmail). -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
