SSL Certificate Location on UNIX/Linux

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?


For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.


This is where Go looks for public root certificates:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux

Also:

"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD
"/var/ssl/certs",               // AIX

This will vary from distribution to distribution. For example, on Amazon Linux instances (based on RHEL 5.x and parts of RHEL6, and compatible with CentOS), the certificates are stored in /etc/pki/tls/certs and the keys are stored in /etc/pki/tls/private. The CA certificates have their own directory, /etc/pki/CA/certs and /etc/pki/CA/private. For any given distribution, especially on hosted servers, I recommend to follow the already-available directory (and permissions) structure, if one is available.


Ubuntu uses /etc/ssl/certs. It also has the command update-ca-certificates which will install certificates from /usr/local/share/ca-certificates.

So installing your custom certificates in /usr/local/share/ca-certificates and running update-ca-certificates seems to be recommended.

http://manpages.ubuntu.com/manpages/latest/man8/update-ca-certificates.8.html