Merging tlscertfile and tlscafile to only one TLS certificate

Grant Taylor gtaylor at tnetconsulting.net
Wed Sep 8 21:54:14 UTC 2021


On 9/8/21 2:47 PM, Julien ÉLIE wrote:
> Wouldn't it be better to do the same thing as Apache?

I don't think so.  (See below.)

> Is there a reason for separating the certificates?

I believe there is.

To me:

  - The tlscertfile is the local machine's certificate.  It should 
/only/ be accessed by processes on the local system.  --  HIGH security.

  - The tlscafile is a copy of public certificate(s) from certificate 
authorities.  It (they) can be accessed by anyone.  --  low security.

My personal opinion is that the HIGH security and low security contents 
should *NOT* be /mixed/ in the same file.

Aside:  There may be some quibble room over public vs private part of 
the certificate and wherever the associated key is stored.  (I don't 
remember off hand.)  The key /definitely/ should *NOT* be co-mingled 
with anything else of lesser sensitivity.

> (In case there is one global CA file for the news server shared with 
> several applications, it might make sense to have it elsewhere so 
> maybe that is the reason, though it seems confusing to people.)

I think it would be detrimental to security to share a common 
certificate for multiple services.  This was highlighted by the recent 
ALPACA Attack (alpaca-attack.com).



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20210908/3bd51872/attachment.bin>


More information about the inn-workers mailing list