SSL Certificate Location on UNIX/Linux

Solution 1:

For system wide use OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application not performing an initial privsep from root then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

Solution 2:

This is where Go looks for public root certificates:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux


"/etc/ssl/certs",               // SLES10/SLES11,
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD
"/var/ssl/certs",               // AIX

Solution 3:

This will vary from distribution to distribution. For example, on Amazon Linux instances (based on RHEL 5.x and parts of RHEL6, and compatible with CentOS), the certificates are stored in /etc/pki/tls/certs and the keys are stored in /etc/pki/tls/private. The CA certificates have their own directory, /etc/pki/CA/certs and /etc/pki/CA/private. For any given distribution, especially on hosted servers, I recommend to follow the already-available directory (and permissions) structure, if one is available.

Solution 4:

Ubuntu uses /etc/ssl/certs. It also has the command update-ca-certificates which will install certificates from /usr/local/share/ca-certificates.

So installing your custom certificates in /usr/local/share/ca-certificates and running update-ca-certificates seems to be recommended.