NAME

sfindcerts - find locations for keys and certiticates

SYNOPSIS

sfindcerts -key | -cert | -ca [ -sum ]

DESCRIPTION

sfindcerts finds certificates, private keys or files containing CA certifcates. According to the specified options it returns a string representing an existing file name. When searching for a specific file (let's say a certificate) it first tries a custom-location then a user-location and in the end a system-location. The intention is to search for a certificate/key/cacert from more specific to more general locations. The custom location is usually denoted by an environment variable. If the environment variable is not defined, the user location, (typically a file in the ~/.ssl/ directory, is returned. If this file doesn't exist either, the system wide-file is returned.

An exit status of 1 denotes that sfindcerts could not find the required file.

OPTIONS

For all the cases below, the following rules apply:

-cert
return the (user's) certificate file. The following procedure is used to find the user's certificate file:

  1. if CERT_FILE is defined and represents a readable file, $CERT_FILE is returned. This result corresponds to the custom cert-file.

  2. if there is no custom cert-file, the value <user-dir>/<user-cert-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user cert-file.

  3. if there is no custom cert-file and no user cert-file the value <sys-dir>/<sys-cert-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system cert-file.

  • <sys-cert-name> defaults to cert.pem unless overriden by the value of ITISSL_SYS_CERT
  • <user-cert-name> defaults to cert.pem unless overriden by the value of ITISSL_USER_CERT

The custom cert-file is intended to be used if the user wants an applications to run under a special identity. The user cert-file will be used by default by all applications which act as the user itself. If the user doesn't bother about identities, a system wide certificate file will specify the certificate of all system's users, if the system administrator has this intention.

-key
return the (user's) key file. The following procedure is used to find the user's key file:

  1. if KEY_FILE is defined and represents a readable file, $KEY_FILE is returned. This result corresponds to the custom key-file.

  2. if there is no custom key-file, the value <user-dir>/<user-key-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user key-file.

  3. if there is no custom key-file and no user key-file the value <sys-dir>/<sys-key-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system key-file.

  • <sys-key-name> defaults to key.pem unless overriden by the value of ITISSL_SYS_KEY
  • <user-key-name> defaults to key.pem unless overriden by the value of ITISSL_USER_KEY

The custom key-file is intended to be used if the user wants an applications to run under a special identity. The user key-file will be used by default by all applications which act as the user itself; If the user doesn't bother about identities, a system wide key file will specify the key for all system's users, if the system administrator has this intention.

-ca [-sum]
return the (user's) ca file. A ca-file is a list of certificates of certifications agencies (CA's). If -sum is not specified, the following procedure is used to find the user's CA file:

  1. if CA_FILE is defined and represents a readable file, $CA_FILE is returned. This result corresponds to the custom ca-file.

  2. if there is no custom ca-file, the value <user-dir>/<user-ca-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user ca-file.

  3. if there is no custom ca-file and no user ca-file the value <sys-dir>/<sys-ca-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system ca-file.

  • <sys-ca-name> defaults to ca.pem unless overriden by the value of ITISSL_SYS_CA
  • <user-ca-name> defaults to ca.pem unless overriden by the value of ITISSL_USER_CA

The custom ca-file is intended to be used if the user wants an applications to use special ca's, but not those of the user-location. The system-ca should contain an extended list of well-known ca's, to avoid user's specifying 'own' ca's.

However, there are cases when the you may want to use the certificates from your own ca file and the system-wide ca file. For this use the [ -sum ] optional parameter. This parameter is legal only together with the -ca parameter. If specified, a new file will be created in a temporary directory (default directory /tmp). Then the custom ca-file, user ca-file and system ca-file will be concatenated to this file. The result is the name of the temporary file. If the variable ITISSL_TMP_DIR is defined and it is a directory name, it will override the default directory used for temporary files.

Note that an application using a ca-file generated using the -sum option, will have to do the cleanup itself.

ENVIRONMENT

ITISSL_USER_KEY
if defined, specifies an alternative to key.pem
ITISSL_SYS_KEY
if defined, specifies an alternative to key.pem
ITISSL_USER_CERT
if defined, specifies an alternative to cert.pem
ITISSL_SYS_CERT
if defined, specifies an alternative to cert.pem
ITISSL_USER_CA
if defined, specifies an alternative to ca.pem
ITISSL_SYS_CA
if defined, specifies an alternative to ca.pem
ITISSL_TMP_DIR
if defined, specifies an alternative to /tmp
ITISSL_USER_DIR
if defined, specifies an alternative to ~/.ssl
ITISSL_SYS_DIR
if defined, specifies an alternative to /etc/ssl

SEE ALSO



Copyright (C) 1999 Andrei Popovici

Verbatim copying and distribution of this documentation is permitted in any medium, provided this notice is preserved.