On Fri, Feb 04, 2005 at 11:50:09PM +0100, Aurelien Bompard wrote: > Joe Orton wrote: > > 1. certificate storage is split between /etc/httpd/conf/ssl.* > > for mod_ssl-specific stuff, and and /usr/share/ssl for system-wide > > 2. ... and /usr/share/ssl is Very Wrong for "config data" like certs > > 3. increasing number of daemon packages are creating self-signed > > certs in %post scripts; could/should this be unified? > > For what it's worth, Debian puts its certs in /etc/ssl/certs. > There may be a problem with apache accessing files in /etc/ssl because of > SELinux, but I don't know much about SELinux yet. > > Having the contents of /usr/share/ssl in /etc would be nice, since it's > mainly config files (except the scripts). I agree with moving the files from /usr to /etc. The specific name isn't all that important (though I suspect it'll make for some lively debate -- "but certificates aren't SSL-specific, so call it 'certs'!" "but I don't keep my OpenPGP certificates there, so call it 'ssl'!" "oh, just call it 'pki' already!") The main concern in my mind is making sure that applications which explicitly configure OpenSSL to look in particular locations don't suddently break if/when the set of trusted CA certs is moved, and that the location to where they're being moved is well-known, so that things don't get more confusing in the process. If we stash a symlink in /usr/share/ssl, then packages can move to the using/referencing the new location on a case-by-case basis, with the plan being to get them all switched over in Raw Hide before some to-be-determined date. I guess that leaves the naming debate. I propose we move this stuff to "/etc/x509-certificates-and-corresponding-private-keys-and-other-related-files". Cheers, Nalin
