Conventions for the use of digital certificates
This document is indented to establish guidelines for the use of digital guidelines in Fedora. Currently it is a draft, your comments are welcome. For comments either use the fedora-devel mailing list or send a mail to JoachimSelke.
Status quo
Since Fedora Core 4 digital certificates are stored somewhere within /etc/pki. Unfortunately, there a no guidelines on where to exactly place what certificates or certificate-related stuff. Consequently, some applications put certificates in /etc/pki/tls/certs and /etc/pki/tls/private, others create new directories within /etc/pki, others put them somewhere in /etc or /usr/share.
General structure
- By default /etc/pki/ and /etc/pki/cacerts/ are empty directories, created by the filesystem package.
- The directory /etc/pki/cacerts/ is used for storing certificates of trusted certificate authorities (CAs). Every such certificate is contained in an own file. (TODO: in what format?)
- There should be a tool "cacert-update" that creates a "certificate index", like many applications use it, in /etc/pki/cacerts/. This is done by creating a symlink for every certificate ("ln -s my_cacert.crt $(openssl x509 -hash -noout -in my_cacert.crt).0"). In addition "cacert-update" should create the file /etc/pki/cacert-bundle.crt from the certificates in /etc/pki/cacerts/. This is needed because, at the moment there are some applications that do not support "certificate indexes" and prefer to have all CA certificates in a single file. (TODO: Describe what exactly a "certificate index" is)
Application-specific structure
- Every application that uses digital certificates must create the empty directories
- /etc/pki/$appname/,
- /etc/pki/$appname/public/,
- /etc/pki/$appname/private/, and
- /etc/pki/$appname/cacerts/
by default, where $appname is the application's name.
- In /etc/pki/$appname/public and /etc/pki/$appname/private the certs used by the application are stored. Corresponding entries should be there in the default configuration files that come with the application. (TODO: say something about file permissions)
- By default every such application uses /etc/pki/cacerts/ as directory for trusted CA certificates in its configuration files (or /etc/pki/cacert-bundle.crt if the application is not able to use this directory).
- If the administrator wishes to use other CA certificates than those in /etc/pki/cacerts/, the directory /etc/pki/$appname/cacerts/ then should be used by him. The tool "cacert-update" should be able to support him in doing so by creating the certificate index in /etc/pki/$appname/cacerts/ and the CA certificate bundle file /etc/pki/$appname/cacert-bundle.crt.
CA certificate packages
- As mentioned, by default the directory /etc/pki/cacerts/ is empty. There should be packages that provide some default certificates, for example, cacerts-mozilla and cacerts-redhat.
- When installing or removing such a package, the tool "cacert-update" should be run to update the certificate index and certificate bundle file.
Default certificate authority
- The openssl package should create the directories
- /etc/pki/CA/,
- /etc/pki/CA/public, and
- /etc/pki/CA/private
by default and create a default certificate authority that is used to create and sign default certificates for other applications.
Application-specific default certificates
- Applications may generate default certificates during installation (using the openssl CA mentioned above), and/or come with an example openssl config file for generating those manually. (Already existing certificates must not be overwritten!)