Best practices for placing SSL certificates for use in Apache 2?

In an environment where a handful of Apache servers are running a bunch of sites using SSL certificates for HTTPS, where should these certificates be placed? In Debian or Ubuntu, should all relevant files be put in /etc/apache2/ssl? Or is there some other location better suited for this? What security concerns should be addressed when choosing locations for these files for multiple websites on the same server?


Solution 1:

FWIW, I use Debian.

I place all private keys in /etc/ssl/private which has permission mode 0700. I place all certificates in /etc/ssl/certs which has permission mode 0755. The owner/group for both is root:root.

Solution 2:

Basically, your SSL key files should be readable only by a root user (you should issue two commands on them: sudo chown root:root /path/to/your/keyfile.key and sudo chmod 600 /path/to/your/keyfile.key). Your certificate files can be world-readable. And it's always a good idea to keep your keys and certificates outside your web-accessible document tree, /etc/apache/ssl should work well.

Solution 3:

The following best practices for placing SSL certificates have usually worked well for me:

  1. /usr/share/ca-certificates/domainname/ - Put the public *.crt files obtained from the CA authority here
  2. /etc/ssl/certs - Create symbolic links to the files placed in the /usr/share/ca-certificates/domainname/ directory
  3. /etc/ssl/private/private.key - The private key is directly placed into this directory
  4. /opt/ssl/csr/domainname/domain.csr - I place the original CSR in this directory for my future refeference.

If you are planning to use the SSL certificates for services such as Dovecot and Postfix you will also need the *.pem files. You can put those converted *.pem files in /opt/ssl/csr/domainname/*.pem and create a softlink to them into the /etc/ssl/certs directory.