X.509 Packaging Best Practices

Many Debian packages create, use, manage, and depend on X.509 certificates for TLS, SSL, S/MIME e-mail, VPN connections, and other cryptographic authentication.

This document attempts to collect best practices for debian packagers whose packages deal with X.509 certificates.

Objectives

For general end-entity local certificate and key material, the following layout is recommended:

It is not recommended to put local certificate and key material in /etc/ssl because /etc/ssl/certs is only for X.509 certs of system-trusted CAs/

Questions

Implementation ideas