API validation
Certificate Path:
For system wide use OpenSSL should provide you
/etc/ssl/certs
and /etc/ssl/private
. The latter of which will be restricted 700
to root:root
.
If you have an application not performing an initial privsep from
root
then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.
[root@instance1-nilsys ssl]# cd certs
[root@instance1-nilsys certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@instance1-nilsys certs]# ls -ltr
total 12
-rwxr-xr-x. 1 root root 829 Jul 8 12:01 renew-dummy-cert
-rw-r--r--. 1 root root 2516 Jul 8 12:01 Makefile
-rwxr-xr-x. 1 root root 610 Jul 8 12:01 make-dummy-cert
lrwxrwxrwx. 1 root root 55 Dec 9 08:33 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
lrwxrwxrwx. 1 root root 49 Dec 9 08:33 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@instance1-nilsys certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in ca-bundle.crt
SHA1 Fingerprint=93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
[root@instance1-nilsys certs]#
Comments