From Fedora Project Wiki
This page is a draft only
It is still under construction and content may change. Do not rely on the information on this page.

Conventions for the use of digital certificates

This document is indented to establish guidelines for the use of digital guidelines in Fedora. Currently it is a draft, your comments are welcome. For comments either use the fedora-devel mailing list or send a mail to JoachimSelke.

Status quo

Since Fedora Core 4 digital certificates are stored somewhere within /etc/pki. Unfortunately, there a no guidelines on where to exactly place what certificates or certificate-related stuff. Consequently, some applications put certificates in /etc/pki/tls/certs and /etc/pki/tls/private, others create new directories within /etc/pki, others put them somewhere in /etc or /usr/share.

General structure

  • By default /etc/pki/ and /etc/pki/cacerts/ are empty directories, created by the filesystem package.
  • The directory /etc/pki/cacerts/ is used for storing certificates of trusted certificate authorities (CAs). Every such certificate is contained in an own file. (TODO: in what format?)
  • There should be a tool "cacert-update" that creates a "certificate index", like many applications use it, in /etc/pki/cacerts/. This is done by creating a symlink for every certificate ("ln -s my_cacert.crt $(openssl x509 -hash -noout -in my_cacert.crt).0"). In addition "cacert-update" should create the file /etc/pki/cacert-bundle.crt from the certificates in /etc/pki/cacerts/. This is needed because, at the moment there are some applications that do not support "certificate indexes" and prefer to have all CA certificates in a single file. (TODO: Describe what exactly a "certificate index" is)

Application-specific structure

  • Every application that uses digital certificates must create the empty directories
  • /etc/pki/$appname/,
  • /etc/pki/$appname/public/,
  • /etc/pki/$appname/private/, and
  • /etc/pki/$appname/cacerts/

by default, where $appname is the application's name.

  • In /etc/pki/$appname/public and /etc/pki/$appname/private the certs used by the application are stored. Corresponding entries should be there in the default configuration files that come with the application. (TODO: say something about file permissions)
  • By default every such application uses /etc/pki/cacerts/ as directory for trusted CA certificates in its configuration files (or /etc/pki/cacert-bundle.crt if the application is not able to use this directory).
  • If the administrator wishes to use other CA certificates than those in /etc/pki/cacerts/, the directory /etc/pki/$appname/cacerts/ then should be used by him. The tool "cacert-update" should be able to support him in doing so by creating the certificate index in /etc/pki/$appname/cacerts/ and the CA certificate bundle file /etc/pki/$appname/cacert-bundle.crt.

CA certificate packages

  • As mentioned, by default the directory /etc/pki/cacerts/ is empty. There should be packages that provide some default certificates, for example, cacerts-mozilla and cacerts-redhat.
  • When installing or removing such a package, the tool "cacert-update" should be run to update the certificate index and certificate bundle file.

Default certificate authority

  • The openssl package should create the directories
  • /etc/pki/CA/,
  • /etc/pki/CA/public, and
  • /etc/pki/CA/private

by default and create a default certificate authority that is used to create and sign default certificates for other applications.

Application-specific default certificates

  • Applications may generate default certificates during installation (using the openssl CA mentioned above), and/or come with an example openssl config file for generating those manually. (Already existing certificates must not be overwritten!)