Merging tlscertfile and tlscafile to only one TLS certificate

Richard Kettlewell rjk at terraraq.uk
Wed Sep 8 22:27:04 UTC 2021


On 08/09/2021 22:54, Grant Taylor wrote:
> On 9/8/21 2:47 PM, Julien ÉLIE wrote:
>> Wouldn't it be better to do the same thing as Apache?
> 
> I don't think so.  (See below.)
> 
>> Is there a reason for separating the certificates?
> 
> I believe there is.
> 
> To me:
> 
>   - The tlscertfile is the local machine's certificate.  It should 
> /only/ be accessed by processes on the local system.  --  HIGH security.
> 
>   - The tlscafile is a copy of public certificate(s) from certificate 
> authorities.  It (they) can be accessed by anyone.  --  low security.
> 
> My personal opinion is that the HIGH security and low security contents 
> should *NOT* be /mixed/ in the same file.

They are both public data and are visible in the server certificate 
message anyway.

> Aside:  There may be some quibble room over public vs private part of 
> the certificate and wherever the associated key is stored.  (I don't 
> remember off hand.)  The key /definitely/ should *NOT* be co-mingled 
> with anything else of lesser sensitivity.

This isn't about the private key material, just the certificates.

ttfn/rjk


More information about the inn-workers mailing list