Re: Suggested solutions to certificate handling/generation for server/clients using SSL/TLS.
* Herman Robak (email@example.com) [040829 12:46]:
> Suggested solution
> During installation, a CA will be created. Maybe before all the SSL-
> enabled servers are installed, maybe after; that depends on how we
> aim to solve the certificate signing.
> If the CA is in place _before_ the SSL-enabled servers, they can
> have a pre-install script generate a signing request. If the CA
> responds, and signs the request, the server gets a properly signed
> certificate. If not, it can fall back to a self-signed certificate.
> dpkg-reconfigure ought to repeat this process, in case the CA was
> not working at install time.
> Design consideration: The servers could "pull" their certificates
> by sending a signing request, or the CA could "push" by putting the
> certificate and the private key in a predetermined place.
are you working on this?
it is an important bit of infrastructure and needs care and
dedication over some time. I would certainly appreciate it if you
could commit to it.