Re: Managing SSL certificates

[Marc Haber <mh+debian-devel@zugschlus.de>]

On Sat, 15 Oct 2005 15:35:40 +0200, Peter Palfrader
<weasel@debian.org> wrote:
>I think better than yet another complex system to handle reference
>counts and stuff all packages should by default just be configured to
>use /the/ host certificate.
>
>That is, have all packages that need ssl certs depend on something that
>creates /etc/ssl/certs/thishost.pem and /etc/ssl/private/thishost.key
>unless they already exist.
>
>Then services should ship with configuration that uses those files
>rather than /etc/<randompath><randomfile>
>
>There aren't that many good reasons for having one cert per service
>anyway, and this scheme would make things easier for both, packages and
>the system administrator.

As long as this scheme is provided by a package with a cleanly defined
"API", and that "API" is crafted in a way that this package can be
seamly replaced by one that allows service-based certificates,
including an easy way to create and manage such certificates, this is
fine.

But please don't close any doors by implementing a restricted
interface.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834