Where to put PKI keys?

Matthew Seaman matthew at FreeBSD.org
Fri Dec 2 17:02:56 UTC 2016

On 02/12/2016 16:07, James B. Byrne via freebsd-questions wrote:
> FreeBSD-10.3 & 11.0
> We operate a private CA for our firm and its employees.  We are also
> in the process of moving from CentOS to FreeBSD.  My experience
> therefore is mostly RHEL based Linux.
> On post RHEL-5 based systems PKI certificates and keys are maintained
> in a central store called '/etc/pki/'.  This is sub-divided according
> to need but the primary place to find things relating to ssl/tls is
> '/etc/pki/tls/certs/' and '/etc/pki/tls/private/'.
> FreeBSD seems to follow the principal that packagers themselves will
> define where their packages' keys and certs are kept.  Which is
> entirely understandable.  But I am accustomed to looking in one place
> for this sort of stuff.  I have searched for references to FreeBSD on
> this subject and have not found much.
> My question is:  Is there a recommended directory structure for
> FreeBSD pertaining to centralised PKI storage?
> I realise that I can just create '/etc/pki/tls/' or
> '/usr/local/etc/pki/tls/' and manage things idiosyncratically, but if
> their any existing convention covering this then I would like to
> consider it.  I note that '/usr/local/share/certs/' is used for the ca
> bundle cert chain. Would '/usr/local/share/keys/' be considered an
> acceptable place for keys?

Your deductions are correct: there is no centrally mandated location for
storing keys and certificates.  About the closest thing is
/usr/local/etc/ssl -- on the basis that is where the ca_root_nss package
puts a link to its list of trusted CA certificates.
/usr/local/share/certs is intended just as a holding area for the files
the package installs; the place where other software should expect to
find the CA certificate collection is /usr/local/etc/ssl.  Except that
to be really effective like that, CA certificates should be added as
individual files and there should be a script to create links within
that directory based on the certificate checksum.  This would make it
possible to add local certificates as trusted and still manage the
default collection reasonably with pkg(8).

Applications will have their own suggested locations for keys and
certificates -- for instance sendmail in the base system uses
/etc/mail/certs -- but you are at liberty to invent whatever scheme
makes sense to you.

This is a FreeBSD thing, often summarized in the mantra "tools, not
policy."  Meaning that it is FreeBSD's role to give you what you need to
perform whatever task you want, but it is not FreeBSD's role to force
you into doing that task in any particular way.  This does mean that you
still have some work to do once you've installed an application in order
to make it work properly.  That's good for advanced users who probably
have all sorts of configuration systems all set to generate config
files, but not so good for the beginners.

So, sure -- if you want to create a centralized /usr/local/etc/pkg/tli
directory heirarchy, please go right ahead.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20161202/230f7474/attachment.sig>

More information about the freebsd-questions mailing list