From Fedora Project Wiki

Revision as of 14:13, 24 May 2008 by fp-wiki>ImportUser (Imported from MoinMoin)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

THIS IS A DRAFT ONLY.

Conventions for the use of digital certificates

This document is indented to establish guidelines for the use of digital guidelines in Fedora. Currently it is a draft, your comments are welcome. For comments either use the fedora-devel mailing list or send a mail to JoachimSelke.


Status quo

Since Fedora Core 4 digital certificates are stored somewhere within /etc/pki. Unfortunately, there a no guidelines on where to exactly place what certificates or certificate-related stuff. Consequently, some applications put certificates in /etc/pki/tls/certs and /etc/pki/tls/private, others create new directories within /etc/pki, others put them somewhere in /etc or /usr/share.


General structure

  • By default /etc/pki/ and /etc/pki/cacerts/ are empty directories, created by the filesystem package.
  • The directory /etc/pki/cacerts/ is used for storing certificates of trusted certificate authorities (CAs). Every such certificate is contained in an own file. (TODO: in what format?)
  • There should be a tool "cacert-update" that creates a "certificate index", like many applications use it, in /etc/pki/cacerts/. This is done by creating a symlink for every certificate ("ln -s my_cacert.crt $(openssl x509 -hash -noout -in my_cacert.crt).0"). In addition "cacert-update" should create the file /etc/pki/cacert-bundle.crt from the certificates in /etc/pki/cacerts/. This is needed because, at the moment there are some applications that do not support "certificate indexes" and prefer to have all CA certificates in a single file. (TODO: Describe what exactly a "certificate index" is)


Application-specific structure

  • Every application that uses digital certificates must create the empty directories
  • /etc/pki/$appname/,
  • /etc/pki/$appname/public/,
  • /etc/pki/$appname/private/, and
  • /etc/pki/$appname/cacerts/

by default, where $appname is the application's name.

  • In /etc/pki/$appname/public and /etc/pki/$appname/private the certs used by the application are stored. Corresponding entries should be there in the default configuration files that come with the application. (TODO: say something about file permissions)
  • By default every such application uses /etc/pki/cacerts/ as directory for trusted CA certificates in its configuration files (or /etc/pki/cacert-bundle.crt if the application is not able to use this directory).
  • If the administrator wishes to use other CA certificates than those in /etc/pki/cacerts/, the directory /etc/pki/$appname/cacerts/ then should be used by him. The tool "cacert-update" should be able to support him in doing so by creating the certificate index in /etc/pki/$appname/cacerts/ and the CA certificate bundle file /etc/pki/$appname/cacert-bundle.crt.


CA certificate packages

  • As mentioned, by default the directory /etc/pki/cacerts/ is empty. There should be packages that provide some default certificates, for example, cacerts-mozilla and cacerts-redhat.
  • When installing or removing such a package, the tool "cacert-update" should be run to update the certificate index and certificate bundle file.


Default certificate authority

  • The openssl package should create the directories
  • /etc/pki/CA/,
  • /etc/pki/CA/public, and
  • /etc/pki/CA/private

by default and create a default certificate authority that is used to create and sign default certificates for other applications.


Application-specific default certificates

  • Applications may generate default certificates during installation (using the openssl CA mentioned above), and/or come with an example openssl config file for generating those manually. (Already existing certificates must not be overwritten!)