Multiple daemon applications would like to access the same TLS certificates (or chain, or private) keys.
And they all run their daemon with different GID and group name.
My attempts at securing the private key in a safe manner, yet sharing it across different daemons (having their own GID) with the following various approaches (and some later nixed) are:
Set file permission to "blaze of glory" chmod a+rwx. This got nixed because it reveals the secret privkey.pem file to the entire filesystem.
Create a new group keys and add nginx, apache, named (or bind), and sftdyn group to the keys group in /etc/group (or using adduser nginx keys). Use new keys group on the PEM files. Then cap PEM files' permission with chmod 0640.
Use setfacl.
Which of 2 or 3 is best to address this thorny issue?
System admin side of me believes strongly in "keep it simple" and says to do it via the "keys" group (or ssldaemons or whatever you want to name it - I think group names should describe the membership or purpose if possible) and regular old boring file system permissions.
On the other hand, if you are already using ACLs then using just another ACL rule or three would fit better into your work flow/policy/admin style.
If you aren't using ACLs already, then I wouldn't head down that road - no need to make things excessively complex. Unless of course you need an excuse to management to do it :)