Linux certificate storage

As opposed to Windows, Linux doesn't have crypto APIs that would be usable by user-mode applications. Linux does have Kernel level CryptoAPI (crypto.h) which is accessible to kernel mode processes. As such applications store certificates in application specific locations. That way we end up with multiple copies of the same certificate. One way to workaroud is to designate a directory for certificate storage and create symbolic links in required directories. 

The Linux Kernel Cryptographic API overview:

Generate CSR using a new key pair:

openssl req -nodes -newkey rsa:1024 -keyout serverName.key -out serverName.csr

Generate CSR using an existing key pair:

openssl req -new -key serverName.key -out serverName.csr

Once the request is signed, certs and keypair must be copied to relevant location. Most Linux applications require Base64 encoded certificate with .PEM extension. This however may vary. Apache for example requires Base64 encoded .CRT certificate. 

Sample storage locations:

Cisco AnyConnect:

User certs:

~/.cisco/certificates/ca                  Root CA
~/.cisco/certificates/client               User certificate 
~/.cisco/certificates/client/private       PrivateKeys

Computer certs:

/opt/.cisco/certificates/ca                    Root CA
/opt/.cisco/certificates/client                Client certificates 
/opt/.cisco/certificates/client/private    PrivateKeys




Locations of cert and private key are specified in the config file (sample config below) per virtual host. Sample location:


Enabling SSL in Apache. 

Enable mod_ssl:

# e2enmod ssl

Configure Virtual Host:

This is configured in an httpd.conf or apache2.conf (which by default includes httpd.conf)

DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/conf/ssl.crt/
SSLCertificateKeyFile /etc/apache2/conf/ssl.key/

Restart  service:

# service httpd restart


# apachectl -restart

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.