175

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?

Seanny123
  • 370
  • 3
  • 15
John Topley
  • 2,045
  • 3
  • 16
  • 17

5 Answers5

130

For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

Константин Ван
  • 105
  • 8
Dan Carley
  • 25,189
  • 5
  • 52
  • 70
  • 5
    is this standardized somewhere? The file system hierarchy standard doesn't contain it. – cweiske Dec 04 '13 at 20:50
  • 3
    @cweiske This seems to be historical OpenSSL convention, not formally standardized, and a very unwieldy one in my opinion. My earliest trace is this version: http://rpm.pbone.net/index.php3/stat/4/idpl/38501/dir/redhat_other/com/openssl-0.9.3a-3.i386.rpm.html – kubanczyk Apr 02 '15 at 21:20
  • 10
    Worth noting that this is only Debian based distros. – Joshua Griffiths Sep 16 '15 at 08:23
  • 2
    Could I store the SSL certificates (e.g. Let's Encrypt or Cloudflare) for the websites here too? Thanks! – Vladyslav Turak Jan 30 '18 at 18:38
  • 3
    Arch and CentOS also stores ca certs in `/etc/ssl/certs` as far as I can see – theferrit32 Feb 15 '19 at 04:58
  • 1
    I had to read the first sentence a few times before I understood it. `For system wide use OpenSSL` a comma is missing after "use", but it's not possible to edit it. – pmiguelpinto Mar 19 '20 at 17:37
  • 1
    This is not correct. /etc/ssl/certs is for root certs. Don’t store your server certs there. – chmike Oct 23 '20 at 12:37
105

This is where Go looks for public root certificates:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux

Also:

"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD
"/var/ssl/certs",               // AIX
Timmmm
  • 1,514
  • 2
  • 11
  • 16
22

This will vary from distribution to distribution. For example, on Amazon Linux instances (based on RHEL 5.x and parts of RHEL6, and compatible with CentOS), the certificates are stored in /etc/pki/tls/certs and the keys are stored in /etc/pki/tls/private. The CA certificates have their own directory, /etc/pki/CA/certs and /etc/pki/CA/private. For any given distribution, especially on hosted servers, I recommend to follow the already-available directory (and permissions) structure, if one is available.

Parker
  • 763
  • 2
  • 11
  • 27
9

Ubuntu uses /etc/ssl/certs. It also has the command update-ca-certificates which will install certificates from /usr/local/share/ca-certificates.

So installing your custom certificates in /usr/local/share/ca-certificates and running update-ca-certificates seems to be recommended.

http://manpages.ubuntu.com/manpages/latest/man8/update-ca-certificates.8.html

Jonah Braun
  • 191
  • 1
  • 4
-1

If you are looking for a certificate used by your Tomcat instance

  1. Open the server.xml file
  2. Search for SSL/TLS connector
  3. See keystoreFile attribute that contains the path to keystore file.

It looks like

<Connector
    protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />
naXa stands with Ukraine
  • 495
  • 1
  • 5
  • 11