X.509 Packaging Best Practices

Many Debian packages create, use, manage, and depend on X.509 certificates for TLS, SSL, S/MIME e-mail, VPN connections, and other cryptographic authentication.

This document attempts to collect best practices for debian packagers whose packages deal with X.509 certificates.

Objectives

For general end-entity local certificate and key material, the following layout is recommended:

Path

Mode

Owner

Group

Purpose

/etc/x509

0755

root

root

New hierarchy for certificates

/etc/x509/keys

0750

root

ssl-cert

Private keys storage

/etc/x509/keys/${fqdn}_${service}.key

0640

root

root

Private key of a single service

/etc/x509/keys/${fqdn}_imapd.key

0640

root

imapd-group

Example: the imapd service

/etc/x509/certs

0755

root

root

Certificates for the above keys

/etc/x509/certs/${fqdn}_${service}.crt

0644

root

root

Certificate for a single service

/etc/x509/ca

0755

root

root

Root Certificate Authorities storage

/etc/x509/ca/${fqdn}.crt

0644

root

root

A specific CA certificate

/etc/x509/ca/cartel.example.com.crt

0644

root

root

Example: CA certificate of cartel.example.com

In the above layout there is one certificate that is installed for the imapd certificate. If the imapd service is run by the imapd-user, that service should be in two groups: imapd-group and ssl-cert. This way the xmppd-user, who is also in the ssl-cert group, can see that ${fqdn}_imapd.key exists, but it cannot read it because it is not in the imapd-group.

NOTE: It is not recommended to put local certificate and key material in /etc/ssl because /etc/ssl/certs is only for X.509 certs of system-trusted CAs. In the new scheme, /etc/x509/ca would replace the current /etc/ssl/certs directory.

NOTE2: The group name ssl-cert is suboptimal because (a) this doesn't necessarily have anything to do with SSL, and (b) it doesn't have to do with certs, that group is created by the ssl-certs package. In terms of a better implementation approach, there could be a different package that provides similar functionality.

NOTE3: The name /etc/x509 is suboptimal as well because the secret key is not x.509 at all, it's PEM-encoded key material

NOTE4: The above proposed layout could be better handled with filesystem acls:

# apt-get install acl
# mount -oremount,acl /
# fiddle with /etc/fstab to make it permanent
# setfacl -m u:imapd-user:r /etc/x509/keys/${fqdn}_imapd.key

Questions

Implementation ideas