Certificate zoo

July 26, 2007

So far I am only maintaining two applications with SSL authentication on the Debian server (ssh and PostgreSQL), but keeping track of all distinct certificates and private keys is already becoming quite difficult. I therefore plan on adopting a common simplifying convention under the following guiding principles.

  • store only one local copy of certificates and keys on the host that generated each pair; preferably use directory /etc/ssl/cert for certificates, and /etc/cert/private for keys; create additional references as symbolic links
  • use only one self-signed certificate from a local certificate authority; sign all other new certificates with its key; don’t generate the root certificate and key on the server, but on my machine at home (Mac OS X)

The drawing depicts a draft plan with the following notation (assumes PostgreSQL 8.1 with two types of client: JDBC on Mac OS X and psql on Debian).

  • new certificates and keys on Debian server inside darker gray boxes
  • other unmodified certificate and keys on Debian server inside lighter gray boxes
  • new certificates and keys on Mac OS X client inside red boxes
  • master copy of certificates and keys (only one pair per host) in bold font
  • symbolic links in italic font
  • (*) in cases where another certificate and key is replaced (archived as *.save file)
  • connecting lines indicate two certificates signed with root key
  • application needs dictate certificate and key file names in directories other than /etc/ssl/cert and /etc/cert/private


Update: locally created certificates should go into directory /etc/ssl/certs instead of /etc/ssl/cert (corrected typo).


One Response to “Certificate zoo”

  1. […] August 8th, 2007 I’ve used the following procedure for allowing SSL connections between PostgreSQL interactive terminals and the server. The organization of keys and certificates is roughly as was documented earlier. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: