Best location to keep SSL certificates and private keys on Ubuntu servers?

On Ubuntu servers, the best practice for storing SSL certificates and private keys is to place them in a directory with restricted access. The standard directory for these files is typically within the /etc/ directory, commonly within /etc/ssl/.

Here are recommended locations for SSL certificates and keys on Ubuntu:

1. SSL Certificates: The SSL certificates, including the public key and any intermediate certificates, are usually stored in a directory such as /etc/ssl/certs/.
2. Private Keys: The private keys associated with the SSL certificates are stored in a directory such as /etc/ssl/private/.

The permissions for these directories should be set to restrict access, typically allowing only the root user or a specific system user (if necessary) to read or modify the contents. This helps to maintain security and prevent unauthorized access to these sensitive files.

Example of setting the permissions for the directories:

sudo chmod 700 /etc/ssl/private
sudo chmod 700 /etc/ssl/certs

It's also important to set permissions for the individual certificate and private key files to ensure restricted access:

sudo chmod 600 /etc/ssl/certs/your_certificate.crt
sudo chmod 600 /etc/ssl/private/your_private_key.key

Replace your_certificate.crt and your_private_key.key with the actual names of your certificate and key files.

Remember to keep regular backups of your SSL certificates and private keys in a secure location to prevent data loss in case of accidental deletion or server failure. Additionally, be cautious about file permissions and access rights to maintain security and prevent unauthorized access to these sensitive files.

Got an article suggestion? Let us know

Explore more

SSL

Solved: curl: (35) ssl connect error

The main course of this problem is the outdated `curl` package on your system.

Questions

What is SSL Certificate Monitoring?

Learn what is SSL certificate monitoring, how does it work, what are the benefits and drawbacks and how to set it up.

Guides

Solved: Invalid command ‘SSLEngine

This frequently happens on fresh Apache servers. When Apache starts it reads through the configuration files. When it encounters `SSLEngine` directive, it considers it as unknown. This is caused by the fact that the server’s basic configuration does not have `mod_ssl` module installed or enabled.

Questions

How to display remote SSL certificate details with CLI tools/cURL?

You can use `openssl` command like this. Replace the highlighted part with the select domain name

Questions

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.