SSL certificates policy
Many services provided encrypted connections, either through a dedicated port (SSL), or through standard port with on-demand encryption (TLS). In both case, the service requires a secret key and a public certificate. Depending of the upstream packaging, software may come with ready-to-use example configuration file to generate those, dedicated scripts, and dedicated procedure to create those files. The goal of this policy is to ensure consistency on several issues:
- generation: when are those certificates generated
- location: where to store involved files
- content: what they should contains
Specification
Generation
SSL certificates should be created on initial package installation only.
Location
They are basically three kind of files involved
- configuration files
- public certificate
- private key
Configuration file has no usage once certificate created. Moreover, as the goal of this policy is to use standard content, there ins't much interest of keeping them for reference. As a consequence, they can be discarded.
public certificate has to be located in /etc/pki/tls/certs, be named after the services it is used for, using .pem extension, with standard permissions. Exemple:
644 root root /etc/pki/tls/certs/ldap.pem
private key has to be located in /etc/pki/tls/private be named after the services it is used for, using .pem extension, with restricted permissions: 600 if the service runs under root uid, 640 if the service runs under another id. Exemple:
640 root ldap /etc/pki/tls/certs/ldap.pem
Content
The goal is to enforce uniform description, key length, among various service, allowing further user-definable configuration.
Here is a standardized configuration:
default_bits = 1024 encrypt_key = no prompt = no distinguished_name = req_dn req_extensions = req_ext [ req_dn ] commonName = $host organizationalUnitName = default $service certificate for $host emailAddress = root@$host [ req_ext ] basicConstraints = CA:FALSE
Implementation
rpm-helper 0.19 includes a ssl configuration script. Here is how to use it:
%post %create_ssl_certificate <service> [bundle mode] [group]
It will create a suited configuration file on the fly, using user-defined configuration, create certificates, and then discard configuration file.
Beside service name, additional options may be given:
- bundle mode, if set to "true", will create a unique file containing both certificate and key
- group, if set, will make the key readable by this group