Installing SSL certificates on Debian#

Installing and configuring SSL certificates is always an issue as to how to create them and where to store them. Most of the time people can find the procedure on how to create them, but they forget all the places where they have placed them. Some initiatives exist to have centralized key stores on systems, but getting applications to use them is still a problem.

Also on Debian is this an issue and key material is all over the system if youre not careful. Some Debian developers tried to fix it, but it ended in a “stalemate” and for now, an additional package called ssl-cert exists to create self-signed certificates. This package also provides a structure for storing commercial certificates and accessing them in a safer way. We install the package ssl-cert for this.

$ sudo apt-get install ssl-cert

After installing the package the different files for the SSL-key can be placed in /etc/ssl/private and have the right permissions as shown in the output below. This to protect the key material from being used by unauthorized processes as most keys don’t have a passphrase.

$ sudo ls -l /etc/ssl/private
-r--r----- 1 root    ssl-cert 2766 Dec 12 13:06 www.example.org_ca.pem
-r--r----- 1 root    ssl-cert 1671 Dec 12 13:06 www.example.org.crt
-r--r----- 1 root    ssl-cert 1070 Dec 12 13:06 www.example.org.csr
-r--r----- 1 root    ssl-cert 6268 Dec 12 13:06 www.example.org_intermediate.pem
-r--r----- 1 root    ssl-cert 1675 Dec 12 13:06 www.example.org.key
-r--r----- 1 root    ssl-cert 3502 Dec 12 13:06 www.example.org.pem

The location and files can only be accessed by the root user or members of the group ssl-cert. Some applications as Apache startup under the root user and access the files before switching to the actual user like www-data on Debian. For those applications, nothing is going to change, but for others like ejabberd that run completely under the ejabberd user, some things change. Those users need to be made a member of the group ssl-cert to read the files in /etc/ssl/private. Below two known services are made members of the group ssl-cert read the certificates.

$ sudo usermod -a -G ssl-cert ejabberd
$ sudo usermod -a -G ssl-cert postgres
$ id -a ejabberd
uid=123(ejabberd) gid=125(ejabberd) groups=105(ssl-cert),125(ejabberd)
$ id -a postgres
uid=105(postgres) gid=108(postgres) groups=105(ssl-cert),108(postgres)

After checking the modification was in effect as some servers use a Naming Service Caching Daemon the affected services need to be restarted. In this example, both ejabberd and PostgreSQL need to restart before the SSL certificates can be accessed.