Where to put PKI keys?

Valeri Galtsev galtsev at kicp.uchicago.edu
Fri Dec 2 17:57:38 UTC 2016

On Fri, December 2, 2016 11:02 am, Matthew Seaman wrote:
> On 02/12/2016 16:07, James B. Byrne via freebsd-questions wrote:
>> FreeBSD-10.3 & 11.0
>> We operate a private CA for our firm and its employees.  We are also
>> in the process of moving from CentOS to FreeBSD.  My experience
>> therefore is mostly RHEL based Linux.
>> On post RHEL-5 based systems PKI certificates and keys are maintained
>> in a central store called '/etc/pki/'.  This is sub-divided according
>> to need but the primary place to find things relating to ssl/tls is
>> '/etc/pki/tls/certs/' and '/etc/pki/tls/private/'.
>> FreeBSD seems to follow the principal that packagers themselves will
>> define where their packages' keys and certs are kept.  Which is
>> entirely understandable.  But I am accustomed to looking in one place
>> for this sort of stuff.  I have searched for references to FreeBSD on
>> this subject and have not found much.
>> My question is:  Is there a recommended directory structure for
>> FreeBSD pertaining to centralised PKI storage?
>> I realise that I can just create '/etc/pki/tls/' or
>> '/usr/local/etc/pki/tls/' and manage things idiosyncratically, but if
>> their any existing convention covering this then I would like to
>> consider it.  I note that '/usr/local/share/certs/' is used for the ca
>> bundle cert chain. Would '/usr/local/share/keys/' be considered an
>> acceptable place for keys?
> Your deductions are correct: there is no centrally mandated location for
> storing keys and certificates.  About the closest thing is
> /usr/local/etc/ssl -- on the basis that is where the ca_root_nss package
> puts a link to its list of trusted CA certificates.
> /usr/local/share/certs is intended just as a holding area for the files
> the package installs; the place where other software should expect to
> find the CA certificate collection is /usr/local/etc/ssl.  Except that
> to be really effective like that, CA certificates should be added as
> individual files and there should be a script to create links within
> that directory based on the certificate checksum.  This would make it
> possible to add local certificates as trusted and still manage the
> default collection reasonably with pkg(8).
> Applications will have their own suggested locations for keys and
> certificates -- for instance sendmail in the base system uses
> /etc/mail/certs -- but you are at liberty to invent whatever scheme
> makes sense to you.
> This is a FreeBSD thing, often summarized in the mantra "tools, not
> policy."  Meaning that it is FreeBSD's role to give you what you need to
> perform whatever task you want, but it is not FreeBSD's role to force
> you into doing that task in any particular way.  This does mean that you
> still have some work to do once you've installed an application in order
> to make it work properly.  That's good for advanced users who probably
> have all sorts of configuration systems all set to generate config
> files, but not so good for the beginners.
> So, sure -- if you want to create a centralized /usr/local/etc/pkg/tli
> directory heirarchy, please go right ahead.

Just to add to what Matthew said. I usually place certs into
/etc/ssl/certs, and keys into /etc/ssl/private (making sure the last is
readable by root only - even though the same is true about keys I place
there). Choice of this location forces me to not forget to install
ca_root_nss package. But as often I have services requiring certificates
running one service per jail, then in these cases I place certificates
just into place where config files for that service live, e.g.:
/usr/local/etc/apache24 for jail with apache. This decision I made for
myself by ruling out an alternative: placing certs some place on host
system, and nullfs mounting into jails, as I figured some day I will run
some daemon that will not know how to droppriv, so I will have to make key
readable for his unprivileged user.

I hope, this helps.


> 	Cheers,
> 	Matthew

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

More information about the freebsd-questions mailing list