Propose a standard file and directory structure for certs and keys

I have been experimenting with several clients and have finally found one that suits me: the C acme-client.

In the process I noticed that the structure and names in the repositories for the files and directories vary wildly. It would be very helpful if the community could agree on a common setup and naming convention so changing clients would be easier with currently valid.certificates.

Most of the alternative clients I have used have followed the filename scheme used by Certbot and documented here. As the officially recommended client it sets the de facto standard.

If your client doesn’t follow certbot, you could suggest to their developers that they do so.

If you want an official standard, the proper place for it to come from would be the ACME working group at the IETF that defines the protocol clients use to obtain certificates from Let’s Encrypt (and, in the future, other certificate authorities).

You could suggest it on their mailing list or issue tracker, which you can find at:

https://datatracker.ietf.org/wg/acme/about/

It’s difficult to mandate a directory structure in the ACME standard because every client has different use cases (e.g. a Windows client intended for use with IIS doesn’t really need to generate PEM files for use with Apache). But it could be possible to encode a fleshed out version the filename scheme used by Certbot as a SHOULD in the RFC.

I disagree

Most people write clients for a specific purpose - the ACME protocol correctly defines interaction with a server but like most API driven products the writing of the client is up to individual authors

Forcing a directory structure limits a clients ability to use back-ends such as sql databases and other databases

Enforcing such a standard is also impossible and the fact that most clients are written by volunteers at no cost means that they should be left to what makes sense for them

Andrei

I had a meeting about this about two years ago that I thought was pretty interesting, but we didn’t end up drawing up a standard because we didn’t quite agree on the appropriate scope.

I agree that this could be valuable in terms of promoting interoperability between certificate management tools (and not just ACME clients!), which is currently very limited. One question that I’ve had is what the right venue for this discussion would be. I don’t know what the best venues are for standardizing host-side and filesystem topics these days.

Thanks for all the replies. I think using the certbot scheme in lieu of anything else at the moment makes good sense.

It would be interesting to see someone client developers get together to try and write something about ACME client best practices. I’m also not sure what the best venue for this discussion is.

ACME clients can run on any OS possible, so directory structure is quite a difficult pickle to handle.

For Linux there’s the Filesystem Hierachy Standard, Unix has a similar layout, but it’s not standardised and I have no idea how such a thing would be handled in Windows.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.