sfindcerts
- find locations for keys and certiticates
sfindcerts
-key | -cert | -ca [ -sum ]
sfindcerts
finds certificates, private keys or files containing CA certifcates. According to the specified options it returns a string representing an existing file name. When searching for a specific file (let's say a certificate) it first tries a custom-location then a user-location and in the end a system-location. The intention is to search for a certificate/key/cacert from more specific to more general locations. The custom location is usually denoted by an environment variable. If the environment variable is not defined, the user location, (typically a file in the~/.ssl/
directory, is returned. If this file doesn't exist either, the system wide-file is returned.An exit status of 1 denotes that
sfindcerts
could not find the required file.
For all the cases below, the following rules apply:
- <user-dir> defaults to
~/.ssl/
unless overriden by the value ofITISSL_USER_DIR
- <sys-dir> defaults to
/etc/ssl
unless overriden by the value ofITISSL_SYS_DIR
- -cert
- return the (user's) certificate file. The following procedure is used to find the user's certificate file:
- if
CERT_FILE
is defined and represents a readable file,$CERT_FILE
is returned. This result corresponds to the custom cert-file.
- if there is no custom cert-file, the value <user-dir>/<user-cert-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user cert-file.
- if there is no custom cert-file and no user cert-file the value <sys-dir>/<sys-cert-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system cert-file.
- <sys-cert-name> defaults to
cert.pem
unless overriden by the value ofITISSL_SYS_CERT
- <user-cert-name> defaults to
cert.pem
unless overriden by the value ofITISSL_USER_CERT
The custom cert-file is intended to be used if the user wants an applications to run under a special identity. The user cert-file will be used by default by all applications which act as the user itself. If the user doesn't bother about identities, a system wide certificate file will specify the certificate of all system's users, if the system administrator has this intention.
- -key
- return the (user's) key file. The following procedure is used to find the user's key file:
- if
KEY_FILE
is defined and represents a readable file,$KEY_FILE
is returned. This result corresponds to the custom key-file.
- if there is no custom key-file, the value <user-dir>/<user-key-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user key-file.
- if there is no custom key-file and no user key-file the value <sys-dir>/<sys-key-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system key-file.
- <sys-key-name> defaults to
key.pem
unless overriden by the value ofITISSL_SYS_KEY
- <user-key-name> defaults to
key.pem
unless overriden by the value ofITISSL_USER_KEY
The custom key-file is intended to be used if the user wants an applications to run under a special identity. The user key-file will be used by default by all applications which act as the user itself; If the user doesn't bother about identities, a system wide key file will specify the key for all system's users, if the system administrator has this intention.
- -ca [-sum]
- return the (user's) ca file. A ca-file is a list of certificates of certifications agencies (CA's). If
-sum
is not specified, the following procedure is used to find the user's CA file:
- if
CA_FILE
is defined and represents a readable file,$CA_FILE
is returned. This result corresponds to the custom ca-file.
- if there is no custom ca-file, the value <user-dir>/<user-ca-name> is returned, provided that the corresponding file exists and is readable. This result corresponds to the user ca-file.
- if there is no custom ca-file and no user ca-file the value <sys-dir>/<sys-ca-name> is returned, provided that the corresponding file exists and it is readable. This result corresponds to the system ca-file.
- <sys-ca-name> defaults to
ca.pem
unless overriden by the value ofITISSL_SYS_CA
- <user-ca-name> defaults to
ca.pem
unless overriden by the value ofITISSL_USER_CA
The custom ca-file is intended to be used if the user wants an applications to use special ca's, but not those of the user-location. The system-ca should contain an extended list of well-known ca's, to avoid user's specifying 'own' ca's.
However, there are cases when the you may want to use the certificates from your own ca file and the system-wide ca file. For this use the
[ -sum ]
optional parameter. This parameter is legal only together with the-ca
parameter. If specified, a new file will be created in a temporary directory (default directory/tmp
). Then the custom ca-file, user ca-file and system ca-file will be concatenated to this file. The result is the name of the temporary file. If the variableITISSL_TMP_DIR
is defined and it is a directory name, it will override the default directory used for temporary files.Note that an application using a ca-file generated using the
-sum
option, will have to do the cleanup itself.
- ITISSL_USER_KEY
- if defined, specifies an alternative to
key.pem
- ITISSL_SYS_KEY
- if defined, specifies an alternative to
key.pem
- ITISSL_USER_CERT
- if defined, specifies an alternative to
cert.pem
- ITISSL_SYS_CERT
- if defined, specifies an alternative to
cert.pem
- ITISSL_USER_CA
- if defined, specifies an alternative to
ca.pem
- ITISSL_SYS_CA
- if defined, specifies an alternative to
ca.pem
- ITISSL_TMP_DIR
- if defined, specifies an alternative to
/tmp
- ITISSL_USER_DIR
- if defined, specifies an alternative to
~/.ssl
- ITISSL_SYS_DIR
- if defined, specifies an alternative to
/etc/ssl