PackagingDrafts/Certificates

= Conventions for the use of digital certificates =

This document is indented to establish guidelines for the use of digital guidelines in Fedora. Currently it is a draft, your comments are welcome. For comments either use the fedora-devel mailing list or send a mail to JoachimSelke.

Status quo
Since Fedora Core 4 digital certificates are stored somewhere within /etc/pki. Unfortunately, there a no guidelines on where to exactly place what certificates or certificate-related stuff. Consequently, some applications put certificates in /etc/pki/tls/certs and /etc/pki/tls/private, others create new directories within /etc/pki, others put them somewhere in /etc or /usr/share.

General structure

 * By default /etc/pki/ and /etc/pki/cacerts/ are empty directories, created by the filesystem package.


 * The directory /etc/pki/cacerts/ is used for storing certificates of trusted certificate authorities (CAs). Every such certificate is contained in an own file. (TODO: in what format?)


 * There should be a tool "cacert-update" that creates a "certificate index", like many applications use it, in /etc/pki/cacerts/. This is done by creating a symlink for every certificate ("ln -s my_cacert.crt $(openssl x509 -hash -noout -in my_cacert.crt).0"). In addition "cacert-update" should create the file /etc/pki/cacert-bundle.crt from the certificates in /etc/pki/cacerts/. This is needed because, at the moment there are some applications that do not support "certificate indexes" and prefer to have all CA certificates in a single file. (TODO: Describe what exactly a "certificate index" is)

Application-specific structure
by default, where $appname is the application's name.
 * Every application that uses digital certificates must create the empty directories
 * /etc/pki/$appname/,
 * /etc/pki/$appname/public/,
 * /etc/pki/$appname/private/, and
 * /etc/pki/$appname/cacerts/


 * In /etc/pki/$appname/public and /etc/pki/$appname/private the certs used by the application are stored. Corresponding entries should be there in the default configuration files that come with the application. (TODO: say something about file permissions)


 * By default every such application uses /etc/pki/cacerts/ as directory for trusted CA certificates in its configuration files (or /etc/pki/cacert-bundle.crt if the application is not able to use this directory).


 * If the administrator wishes to use other CA certificates than those in /etc/pki/cacerts/, the directory /etc/pki/$appname/cacerts/ then should be used by him. The tool "cacert-update" should be able to support him in doing so by creating the certificate index in /etc/pki/$appname/cacerts/ and the CA certificate bundle file /etc/pki/$appname/cacert-bundle.crt.

CA certificate packages

 * As mentioned, by default the directory /etc/pki/cacerts/ is empty. There should be packages that provide some default certificates, for example, cacerts-mozilla and cacerts-redhat.


 * When installing or removing such a package, the tool "cacert-update" should be run to update the certificate index and certificate bundle file.

Default certificate authority
by default and create a default certificate authority that is used to create and sign default certificates for other applications.
 * The openssl package should create the directories
 * /etc/pki/CA/,
 * /etc/pki/CA/public, and
 * /etc/pki/CA/private

Application-specific default certificates

 * Applications may generate default certificates during installation (using the openssl CA mentioned above), and/or come with an example openssl config file for generating those manually. (Already existing certificates must not be overwritten!)