Opened 12 years ago

Closed 7 years ago

#77 closed Feature/Enhancement Request (fixed)

Move x.509 certificates into shared location

Reported by: Jamie McClelland Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: x.509 Cc:
Sensitive: no

Description

Our server's ssl key and cert files are stored in multiple locations - one location for apache and one for courier (imap and pop). We should choose one directory, like:

/etc/ssl/private

And configure both apache and courier to use this shared location.

The following servers need both courier and apache to be configured for ssl:

  • viewsic
  • malcolm
  • chavez

The following servers only have apache configured (but we should consistently use the same location accross all servers):

  • leslie
  • harry
  • assata
  • moses
  • mendes
  • ali

In addition we should update server configuration page to reflect these changes.

Change History (9)

comment:1 Changed 12 years ago by Jamie McClelland

See ticket #71 for the background on this request.

comment:2 Changed 12 years ago by Jamie McClelland

Ug - #79 may be another reason to do this. I didn't update the cert used by postfix (currently in /etc/postfix/ssl). I think that was causing the mail delay problems.

comment:3 Changed 11 years ago by Jamie McClelland

I took advantage of installing new certs on viewsic and menchu as an opportunity to start this process. Now, viewsic and menchu have:

  • /etc/ssl/private/SERVERNAME.mayfirst.org.pem
  • /etc/ssl/private/SERVERNAME.mayfirst.org.key
  • /etc/ssl/SERVERNAME.mayfirst.org.crt

Courier requires a pem file :( - otherwise I wouldn't bother with that one.

I updated /etc/apache2/sites-enabled/default, /etc/courier/{pop3d-ssl,imapd-ssl}, and /etc/postfix/main.cf with the new locations.

comment:4 Changed 11 years ago by Daniel Kahn Gillmor

All of these files appear to be PEM-encoded, actually. i'm not sure i understand the difference between blah.pem and blah.key as you've laid them out, other than that you've got the certificate appended to the key in the .pem file, instead of just the key.

Do the services which are only looking for the key not work when you point them to the .pem file instead of the .key file? If so, which services have those restrictions?

We should be able to have just two files: one with key+cert, and one with just the cert, no?

comment:5 Changed 11 years ago by Jamie McClelland

Are pem files supposed to be encoded differently? My understanding was that a pem file contains both the key and the cert and dh params at the bottom. Not that I really know why. But - I didn't think they are supposed to be encoded differently.

If the services that are looking for just the key can read the file that has the other stuff as well, then I think you're right, we could do away with the key file. It didn't occur to me to do it that way.

comment:6 Changed 11 years ago by Daniel Kahn Gillmor

PEM encoding just refers to the format of the text, which is wrapped in BEGIN/END CERTIFICATE lines.

Compare the contents of the .key and .pem files with diff -u -- the only difference is an appended pair of sections in the .pem file. But they're both PEM-encoded.

comment:7 Changed 11 years ago by Jamie McClelland

Thanks dkg (and wikipedia). There are so many overlapping concepts that it is often hard to keep track of them.

For my own edification:

Public Key Infrastructure (PKI) is a concept for how two computer users can authenticate with each other without prior contact. It describes a process involving a private key, public key and a certificate from a central, trusted authority that binds a public key with a user identity. It contrasts with other concepts for how to do this, like web of trust (used with Pretty Good Privacy and GnuPG) and SPKI (which I had never heard of).

x.509 is a standard for how to implement PKI that specifies the format of the various keys involved.

x.509 allows for different ways to encode the certificates, of which one way is "pem." The pem encoding happens to be the only one I'm familiar with, which makes the wikipedia entry on it very confusing. That entry makes it sound like it's defunct, when from my perspective it seems to be alive and well.

I just fixed up viewsic and menchu by updating postfix and apache to reference the .pem file in /etc/ssl/private and removing the .key files from /etc/ssl/private. I also updated the configure new server help page with the new approach.

comment:8 Changed 11 years ago by Daniel Kahn Gillmor

FWIW, i've heard OpenPGP's web of trust model described as a form of Public Key Infrastructure, so i'm not sure that the concept is only limited to models with centralized authority.

jamie said:

The pem encoding happens to be the only one I'm familiar with, which makes the wikipedia entry on it very confusing. That entry makes it sound like it's defunct, when from my perspective it seems to be alive and well.

PEM is defunct, if you're looking at its original purpose: Privacy-enhanced Electronic Mail. It is not used for that at all these days. OpenPGP and S/MIME are the two competing/rival standards for private and/or authenticated e-mail. PEM's standard for file encoding lives on in X.509, as you say, but that's it. There's no mail involved.

comment:9 Changed 7 years ago by Daniel Kahn Gillmor

Keywords: x.509 added
Resolution: fixed
Status: newclosed
Summary: Move ssl certificates into shared locationMove x.509 certificates into shared location

thanks to the pain of #4822, jamie documented all this in a description of where and how certificates are stored for MOSHes. I think this is done.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.