While there's no single mandatory standard, several well-established conventions exist for storing SSL/TLS certificates and keys in UNIX/Linux systems:
/etc/ssl/certs/ # Public certificates
/etc/ssl/private/ # Private keys (usually restricted to root)
/etc/pki/tls/certs/ # Common on RHEL/CentOS
/etc/pki/tls/private/ # RHEL/CentOS private key location
/usr/local/ssl/certs/ # Alternative locationWhen implementing SSL/TLS on your server, consider these guidelines:
- Keep private keys in /etc/ssl/private/ with 600 permissions
- Use /etc/ssl/certs/ for public certificates
- Maintain consistent naming conventions (e.g., domain.crt, domain.key)
- Consider symbolic links for certificate chains
Here are configuration examples for popular web servers:
Apache HTTPD
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.ca-bundleNginx
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_trusted_certificate /etc/ssl/certs/example.com.ca-bundle;Here's a sample bash script for certificate deployment:
#!/bin/bash
# Deploy new SSL certificate
CERT_NAME="example.com"
CERT_DIR="/etc/ssl/certs"
PRIVATE_DIR="/etc/ssl/private"
# Backup existing certs
cp "$CERT_DIR/$CERT_NAME.crt" "$CERT_DIR/$CERT_NAME.crt.bak"
cp "$PRIVATE_DIR/$CERT_NAME.key" "$PRIVATE_DIR/$CERT_NAME.key.bak"
# Deploy new files
install -m 644 new_cert.crt "$CERT_DIR/$CERT_NAME.crt"
install -m 600 new_key.key "$PRIVATE_DIR/$CERT_NAME.key"
# Verify permissions
chown root:root "$PRIVATE_DIR/$CERT_NAME.key"
chmod 600 "$PRIVATE_DIR/$CERT_NAME.key"Always remember these critical security practices:
- Never store private keys in web-accessible directories
- Use appropriate file permissions (400 or 600 for keys)
- Consider using encrypted partitions for private keys
- Regularly audit certificate locations and permissions
Different Linux distributions may have slightly different conventions:
- Debian/Ubuntu: Primarily uses /etc/ssl/ structure
- RHEL/CentOS: Favors /etc/pki/tls/ hierarchy
- OpenSUSE: May use /usr/share/pki/trust/anchors/
On UNIX/Linux systems, there are several conventional locations where SSL certificates and private keys are typically stored:
/etc/ssl/certs/ # For public certificates
/etc/ssl/private/ # For private keys (restricted access)
/usr/local/ssl/certs/ # Alternative location
/etc/pki/tls/certs/ # Common on RedHat-based systems
/etc/apache2/ssl/ # Apache-specific location on Debian/Ubuntu
Proper file permissions are crucial for security:
# Certificate files (readable by all)
chmod 644 /etc/ssl/certs/example.crt
# Private keys (readable only by owner)
chmod 600 /etc/ssl/private/example.key
# Set appropriate ownership
chown root:root /etc/ssl/private/example.key
Here's how these paths are typically referenced in common services:
Apache Configuration
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
</VirtualHost>
Nginx Configuration
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/private/nginx.key;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
}
Different distributions may have slight variations:
- Debian/Ubuntu: Typically uses /etc/ssl/certs/ and /etc/ssl/private/
- RedHat/CentOS: Often uses /etc/pki/tls/certs/ and /etc/pki/tls/private/
- FreeBSD: Commonly uses /usr/local/etc/ssl/certs/
For automated deployments, consider this bash script example:
#!/bin/bash
# Deploy new SSL certificate
CERT_DIR="/etc/ssl/certs"
KEY_DIR="/etc/ssl/private"
cp new_cert.crt "$CERT_DIR/server.crt"
cp new_key.key "$KEY_DIR/server.key"
chmod 644 "$CERT_DIR/server.crt"
chmod 600 "$KEY_DIR/server.key"
systemctl reload apache2
For intermediate certificates, the common practice is:
cat intermediate1.crt intermediate2.crt > /etc/ssl/certs/ca-bundle.crt