/etc/pki/CA and ca-bundle.crt
Tomas Mraz
tmraz at redhat.com
Tue Apr 26 15:21:51 UTC 2005
On Tue, 2005-04-26 at 16:11 +0200, Farkas Levente wrote:
> hi,
> after finally cert are moved under /etc(/pki...) which should have been
> done for a long time ago, it's not clear to me. if there is a dir
> /etc/pki/CA then why ca-bundle.crt put under /etc/pki/tls/certs (in
> openssl)? what is the new proposed 'standard'? for me it's totaly
> irrelevant what is the standard (anything else than /usr/share/ssl is
> better), but i'd like to know it. is there any docs about it? if
> ca-bundle.crt than eg. my CA should have to put into /etc/pki/tls/certs
> or /etc/pki/CA?
They have different purposes. The ca-bundle.crt contains certificates of
the trusted CAs. You can add your CA's certificate there if you want to.
However the /etc/pki/CA hierarchy is intended for keys/configuration and
data files of the local certificate authority which is provided by
the /etc/pki/tls/misc/CA(.pl) scripts. After you will generate the local
CA certs by CA -newca you can of course put this CA certificate to the
ca-bundle.crt.
> at the same time openssl's Makefile still create certs into
> /etc/httpd/conf/ssl.xxx/
This Makefile should be probably generalized or moved to the mod_ssl
package.
--
Tomas Mraz <tmraz at redhat.com>
More information about the devel
mailing list