On Tue, 2005-04-26 at 16:11 +0200, Farkas Levente wrote: > hi, > after finally cert are moved under /etc(/pki...) which should have been > done for a long time ago, it's not clear to me. if there is a dir > /etc/pki/CA then why ca-bundle.crt put under /etc/pki/tls/certs (in > openssl)? what is the new proposed 'standard'? for me it's totaly > irrelevant what is the standard (anything else than /usr/share/ssl is > better), but i'd like to know it. is there any docs about it? if > ca-bundle.crt than eg. my CA should have to put into /etc/pki/tls/certs > or /etc/pki/CA? They have different purposes. The ca-bundle.crt contains certificates of the trusted CAs. You can add your CA's certificate there if you want to. However the /etc/pki/CA hierarchy is intended for keys/configuration and data files of the local certificate authority which is provided by the /etc/pki/tls/misc/CA(.pl) scripts. After you will generate the local CA certs by CA -newca you can of course put this CA certificate to the ca-bundle.crt. > at the same time openssl's Makefile still create certs into > /etc/httpd/conf/ssl.xxx/ This Makefile should be probably generalized or moved to the mod_ssl package. -- Tomas Mraz <tmraz@xxxxxxxxxx>
