Best location to keep SSL certificates and private keys on Ubuntu servers?

debian ssl ssl-certificate ubuntu openssl

On Ubuntu, it looks like the best place for a private key used to sign a certificate (for use by nginx) is in /etc/ssl/private/

This answer adds that the certificate should go in /etc/ssl/certs/ but that seems like an unsafe place. Do .crt files need to be kept safe or are they considered public?


The .crt file is sent to everything that connects; it is public. (chown root:root and chmod 644)

To add to the private key location; make sure you secure it properly as well as having it in there. (chown root:ssl-cert and chmod 640)


It really doesn't matter where you put them as long as you properly protect your private key file(s). The public certificate is public; no protection needed - server privileges or otherwise.

To expand on the answer, I do not use the default location /etc/ssl.
It's easier for me to keep all mine in a separate area due to backups+other reasons.

For Apache SSL, I keep mine in /etc/apache2/ssl/private or similar "root area" in /etc/.

Example Setup

This post is geared toward Ubuntu (Debian) + Apache, but should work on most systems -
Just apply the permissions and update location/path in given config (apache/nginx/etc).
If the SSL key files are protected correctly (directory & files), you will be fine. Note the notes!

Create directories:

sudo mkdir /etc/apache2/ssl
sudo mkdir /etc/apache2/ssl/private
sudo chmod 755 /etc/apache2/ssl
sudo chmod 710 /etc/apache2/ssl/private

Note:
chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/apache2/ssl/private will also work fine.

Place SSL files:

Put public www ssl certificate(s) along with intermediate certificate(s) in /etc/apache2/ssl
Put private ssl key(s) in /etc/apache2/ssl/private

Set owner:

sudo chown -R root:root /etc/apache2/ssl/
sudo chown -R root:ssl-cert /etc/apache2/ssl/private/

Note:
If you do not have ssl-cert group, just use 'root:root' on line above or skip 2nd line.

Set permissions:

Public Certificate(s)

sudo chmod 644 /etc/apache2/ssl/*.crt

Private Key(s)

sudo chmod 640 /etc/apache2/ssl/private/*.key

Note:
The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well.

Enable the Apache SSL module

sudo a2enmod ssl

Edit any Apache site files and enable

(see last paragraph) *

sudo nano /etc/apache/sites-available/mysiteexample-ssl.conf
sudo a2ensite mysiteexample-ssl
#             ^^^^^^^^^^^^^^^^^ <-Substitute your ".conf" filename(s)

Restart Apache2 service

sudo service apache2 restart

or

sudo systemctl restart apache2.service

Done. Test your new SSL site.

* Again this goes beyond the question, but you can copy the default Apache SSL site configuration file (sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mysiteexample-ssl.conf) as a good starting point/example of default directives/directories normally used under a simple (Ubuntu/Debian) Apache/SSL 'conf' file. It normally points to a self-signed SSL certificate+key (snakeoil), CA bundles, as well as common directives used for a given SSL site.

After copying, just edit the new .conf file and add/remove/update it as needed with new information/paths above then execute sudo a2ensite mysiteexample-ssl to enable it.

Related

How to get Apache2 to redirect to a subdirectory
Using variables in Apache config files to reduce duplication?
Automate the installation of postfix on Ubuntu
How to make wireshark filter POST-requests only?
How to inspect remote SMTP server's TLS certificate?
What does that mean: packages excluded due to repository priority protections
How can I list my open ports on Debian?
How can I show mysql locks?
How do I protect my company from my IT guy? [closed]
How to unify package installation tasks in ansible?
Does each server behind a load balancer need their own SSL certificate?
How to apply a filter to real time output of `tail -f `?