Server Setup

SSL directory – Where to store SSL certificates on a Linux server?

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

When you configure a server, you must do things right. There is the right way of doing everything. You may be wondering what is the right place to put your SSL certificate files and private keys on the server. We’ve got that covered in this post.

The right location for everything

Linux has its designated directories for everything. You’re already familiar with the /var, /etc and other directories which are part of the Filesystem Hierarchy Standard (FHS).
Well, guess what, there is a designated location for storing SSL certificates too.

It depends on the Linux distro.

SSL directory on Ubuntu

The right place to store your certificate is /etc/ssl/certs/ directory.
Save your private keys to /etc/ssl/private/ directory.

SSL directory on CentOS/RHEL

The right place to store your certificate is /etc/pki/tls/certs/ directory.
Save your private keys to /etc/pki/tls/private/ directory.

Example directory structure

Following the best practices, name the certificate file with its designated domain name, and append “.chained” if it contains intermediate and root certificates.
That is the case with SSL certificate files for NGINX – you need to make one file that contains the full chain of your certificate.

You end up with two files:

  • /etc/pki/tls/certs/example.com.chained.crt
  • /etc/pki/tls/private/example.com.key

Always secure the private key file

The private key file for your SSL certificate should always be only accessible to the root user only. Run the appropriate commands on the file to secure it:

chown root:root /etc/pki/tls/private/example.com.key
chmod 0600 /etc/pki/tls/private/example.com.key
  1. Jan

    Great article, nice to know

    Reply
  2. wwc

    how about “/etc/pki/ca-trust/extracted”? golang use that as CentOS cert path

    https://golang.org/src/crypto/x509/root_linux.go?h=ca-bundle

    Reply
    • Danila Vershinin

      Those cert paths you’re referring to are for CA (certificate authorities) bundle. It is typically a single file, holding certificates of all known certificate authorities, and is used for validating certificates of remote services your server connects with (typically). So it’s not something that is user-configurable; you install those (in CentOS 7) with yum install ca-certificates. In my post, I refer to user-configurable certificates (the ones for the services that you run on your own server, e.g. websites).

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.