SSL Certificate Location on UNIX/Linux

Question

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?

Answer 1

For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

Answer 2

This is where Go looks for public root certificates:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux

Also:

"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD
"/var/ssl/certs",               // AIX

Answer 3

This will vary from distribution to distribution. For example, on Amazon Linux instances (based on RHEL 5.x and parts of RHEL6, and compatible with CentOS), the certificates are stored in /etc/pki/tls/certs and the keys are stored in /etc/pki/tls/private. The CA certificates have their own directory, /etc/pki/CA/certs and /etc/pki/CA/private. For any given distribution, especially on hosted servers, I recommend to follow the already-available directory (and permissions) structure, if one is available.

Answer 4

Ubuntu uses /etc/ssl/certs. It also has the command update-ca-certificates which will install certificates from /usr/local/share/ca-certificates.

So installing your custom certificates in /usr/local/share/ca-certificates and running update-ca-certificates seems to be recommended.

http://manpages.ubuntu.com/manpages/latest/man8/update-ca-certificates.8.html

Answer 5

Great answers so far, thanks, all! But since 2009, free SSL cert systems like LetsEncrypt have become the standard, and the modern config is a tad more complicated.

LetsEncrypt has three directories, for archiving, active, and renewal for SSL-enabled domains, check them here:

/etc/letsencrypt/archive/example.com
/etc/letsencrypt/live/example.com
/etc/letsencrypt/renewal/example.com.conf

Apache2 has two directories, for enabled and available SSL-enabled domains, check them here:

/etc/apache2/sites-enabled/example.com-le-ssl.conf
/etc/apache2/sites-available/example.com-le-ssl.conf

LetsEncrypt Archives eventually get moved to another directory, check it here:

/var/lib/letsencrypt/backups/[TIMESTAMP]/example.com-le-ssl.conf_0

Answer 6

If you are looking for a certificate used by your Tomcat instance

1. Open the server.xml file
2. Search for SSL/TLS connector
3. See keystoreFile attribute that contains the path to keystore file.

It looks like

<Connector
    protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />