When you configure a server, you must do things right. There is the right way of doing everything. You may be wondering what is the right place to put your SSL certificate files and private keys on the server. We’ve got that covered in this post.
The right location for everything
Linux has its designated directories for everything. You’re already familiar with the /var, /etc and other directories which are part of the Filesystem Hierarchy Standard (FHS).
Well, guess what, there is a designated location for storing SSL certificates too.
It depends on the Linux distro.
SSL directory on Ubuntu
The right place to store your certificate is /etc/ssl/certs/ directory.
Save your private keys to /etc/ssl/private/ directory.
SSL directory on CentOS/RHEL
The right place to store your certificate is /etc/pki/tls/certs/ directory.
Save your private keys to /etc/pki/tls/private/ directory.
Example directory structure
Following the best practices, name the certificate file with its designated domain name, and append “.chained” if it contains intermediate and root certificates.
That is the case with SSL certificate files for NGINX – you need to make one file that contains the full chain of your certificate.
You end up with two files:
/etc/pki/tls/certs/example.com.chained.crt/etc/pki/tls/private/example.com.key
Always secure the private key file
The private key file for your SSL certificate should always be only accessible to the root user only. Run the appropriate commands on the file to secure it:
chown root:root /etc/pki/tls/private/example.com.key
chmod 0600 /etc/pki/tls/private/example.com.key