-
Notifications
You must be signed in to change notification settings - Fork 8
/
CA_DIRECTORY_LAYOUTS
55 lines (41 loc) · 1.83 KB
/
CA_DIRECTORY_LAYOUTS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
There are two basic (but orthogonal) aspect of directory-file layouts
used in tls-ca-manage.sh:
- Layout: Traditional OpenSSL and New Centralized
- Repo directory: nested CA or single directory of CA directories
# Layout
The default OpenSSL directory layout (hereby called traditional) is
given below:
# /etc/ssl ----> ca-root
# |
# +---> certs
# +---> private
# +---> newcerts
# +---> crl
The new centralized directory layout is:
# /etc -> ssl -+-> ca -+-> ca-root -+-> private
# | +-> db
# |
# +-> etc
# +-> certs
# +-> crl
In conjunction with one of the layout above, the repo nesting is:
With traditional layout, nested CAs be like:
# /etc -> ssl -> ca-root -+-> ca-network +-> TLS-server
# | +-> mail-server
# | +-> web-server
# | +-> SMTP-encryption
# +-> ca-component ---> timestamp-server
# +-> ca-identity ---> employee-mail
# +-> ca-security -+-> card-key
# +-> guard-checkpoints
With centralized layout, nested CAs be like:
# /etc -> ssl -+-> ca -+-> ca-root -+-> private
# | +-> db
# | +-> ca-network +-> private
# | +-> db
# | +-> ca-mail +-> private
# | +-> db
# +-> etc
# +-> certs
# +-> crl
Inspired by: https://pki-tutorial.readthedocs.io/en/latest/expert/index.html