Best practices for placing SSL certificates for use in Apache 2?
In an environment where a handful of Apache servers are running a bunch of sites using SSL certificates for HTTPS, where should these certificates be placed? In Debian or Ubuntu, should all relevant files be put in /etc/apache2/ssl? Or is there some other location better suited for this? What security concerns should be addressed when choosing locations for these files for multiple websites on the same server?
Solution 1:
FWIW, I use Debian.
I place all private keys in /etc/ssl/private
which has permission mode 0700
. I place all certificates in /etc/ssl/certs
which has permission mode 0755
. The owner/group for both is root:root.
Solution 2:
Basically, your SSL key files should be readable only by a root
user (you should issue two commands on them: sudo chown root:root /path/to/your/keyfile.key
and sudo chmod 600 /path/to/your/keyfile.key
). Your certificate files can be world-readable. And it's always a good idea to keep your keys and certificates outside your web-accessible document tree, /etc/apache/ssl
should work well.
Solution 3:
The following best practices for placing SSL certificates have usually worked well for me:
-
/usr/share/ca-certificates/domainname/
- Put the public*.crt
files obtained from the CA authority here -
/etc/ssl/certs
- Create symbolic links to the files placed in the/usr/share/ca-certificates/domainname/
directory -
/etc/ssl/private/private.key
- The private key is directly placed into this directory -
/opt/ssl/csr/domainname/domain.csr
- I place the original CSR in this directory for my future refeference.
If you are planning to use the SSL certificates for services such as Dovecot and Postfix you will also need the *.pem
files. You can put those converted *.pem
files in /opt/ssl/csr/domainname/*.pem
and create a softlink to them into the /etc/ssl/certs
directory.