Приветствую. Я планирую перевести дефолтные настройки apache2-mod_ssl{,-compat} на использование общесистемного хранилища сертификатов /var/lib/ssl. (Сейчас apache2-mod_ssl использует своё внутреннее хранилище, /etc/httpd2/conf/ssl.*.) Пока планирую сделать в /etc/httpd2/conf/sites-available/default_https{-compat,}.conf такие настройки (в значениях помеченных "????" я неуверен): # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile "/var/lib/ssl/certs/server.crt" #SSLCertificateFile "/var/lib/ssl/certs/server-dsa.crt" # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile "/var/lib/ssl/private/server.key" #SSLCertificateKeyFile "/var/lib/ssl/private/server-dsa.key" # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile "/var/lib/ssl/certs/ca-root.pem" ?????????????????????????????? # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath "/var/lib/ssl/certs" #SSLCACertificateFile "/var/lib/ssl/certs/ca-root.pem" ?????????????????????????????? # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath "/var/lib/ssl/certs" #SSLCARevocationFile "/var/lib/ssl/certs/ca-bundle.crl" ???????????????????????????????? При этом я исхожу из: 1. Сертификат сервера и его ключ -- /var/lib/ssl/certs/server.crt и /var/lib/ssl/private/server.key. Файлы будут создаваться при старте сервера, если их нет, а mod_ssl будет грузится. (Может быть осмысленнее использовать www.*, вместо server.*?) 2. /var/lib/ssl/certs/ca-root.pem -- сертификат CA. Если я правильно понял (из анализа системы, не знаю где оно у нас задокументировано), то именно он используется в нашем домене. Основной вопрос: насколько планируемое, для наших условий, правильно? -- С уважением. Алексей.