X.509 Packaging Best Practices
Many Debian packages create, use, manage, and depend on X.509 certificates for TLS, SSL, S/MIME e-mail, VPN connections, and other cryptographic authentication.
This document attempts to collect best practices for debian packagers whose packages deal with X.509 certificates.
Objectives
- Make it easy for an administrator to configure and manage his or her system's X.509 certificates with a single, easily auditable point of control.
- Make it easy for a packager to rely on certificate creation, management, expiry, etc. so that each package doesn't need to reimplement these functions.
- Make it easy for a user to use client-side certificates across tools.
- Make it easy for a user to connect to network services predictably with different tools.
- Make it easy for an application to check the status of the certificate of it's peer
Recommended directory layout
For general end-entity local certificate and key material, the following layout is recommended:
/etc/x509: mode => 0755, owner => root, group => root
/etc/x509/keys: mode => 0710, owner => root, group => root
/etc/x509/keys/$fqdn_$service.key: mode => 0600, owner => root, group => root
/etc/x509/certs: mode => 0755, owner => root, group => root
/etc/x509/certs/$fqdn_$service.crt: mode => 0644, owner => root, group => root
It is not recommended to put local certificate and key material in /etc/ssl because /etc/ssl/certs is only for X.509 certs of system-trusted CAs/
Questions
- Where to store secret key material? (/etc/ssl/private?)
Sharing key material across services? -> Question for the administrator?
- Who owns they secret key material and how do we manage access to it?
- Locations for the service certificates?
- Should we auto create key/cert/certreq on installtion?
Implementation ideas
- Use something like db-config-common for creating X.509 service certificates
- Have only 1 store with public CA certificates and have all libraries add support for reading that store. Make applications use that store by default.
- Have a library to do CRL/OCSP/blacklist checking and make applications use it.
- Store trust settings in the CA store.
- Make applications use the trust settings, adding support to applications and libraries that can't read the trust settings.