Merging tlscertfile and tlscafile to only one TLS certificate
Richard Kettlewell
rjk at terraraq.uk
Wed Sep 8 22:27:04 UTC 2021
On 08/09/2021 22:54, Grant Taylor wrote:
> On 9/8/21 2:47 PM, Julien ÉLIE wrote:
>> Wouldn't it be better to do the same thing as Apache?
>
> I don't think so. (See below.)
>
>> Is there a reason for separating the certificates?
>
> I believe there is.
>
> To me:
>
> - The tlscertfile is the local machine's certificate. It should
> /only/ be accessed by processes on the local system. -- HIGH security.
>
> - The tlscafile is a copy of public certificate(s) from certificate
> authorities. It (they) can be accessed by anyone. -- low security.
>
> My personal opinion is that the HIGH security and low security contents
> should *NOT* be /mixed/ in the same file.
They are both public data and are visible in the server certificate
message anyway.
> Aside: There may be some quibble room over public vs private part of
> the certificate and wherever the associated key is stored. (I don't
> remember off hand.) The key /definitely/ should *NOT* be co-mingled
> with anything else of lesser sensitivity.
This isn't about the private key material, just the certificates.
ttfn/rjk
More information about the inn-workers
mailing list