[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Managing SSL certificates

On Sat, 15 Oct 2005, Lars Wirzenius wrote:

> My suggestion would be to create a tool to manage installation and
> removal of certificates. Something like this:
> 
>         update-ssl-certificate --create package servicename
>         update-ssl-certificate --remove package servicename

I think better than yet another complex system to handle reference
counts and stuff all packages should by default just be configured to
use /the/ host certificate.

That is, have all packages that need ssl certs depend on something that
creates /etc/ssl/certs/thishost.pem and /etc/ssl/private/thishost.key
unless they already exist.

Then services should ship with configuration that uses those files
rather than /etc/<randompath><randomfile>

There aren't that many good reasons for having one cert per service
anyway, and this scheme would make things easier for both, packages and
the system administrator.

-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/
Reply to: