Bug#816904: future of make-ssl-cert now that we have letsencrypt
Hi Daniel,
On Sun, 6 Mar 2016, Daniel Pocock wrote:
> Should the make-ssl-cert script continue doing the same thing, creating
> Snakeoil certs only?
At least by default, it should. There are quite a few systems that don't
have outside network connection, people may want to use different CAs,
etc.
> Or should it be extended to give the user the option of using
> letsencrypt? If this is added, any packages already relying on
> make-ssl-cert will automatically be configured with letsencrypt
>
> Some discussion of Let's Encrypt and related issues occurred here:
> https://lists.debian.org/debian-devel/2015/08/msg00007.html
I agree that having supporting logic for Let's Encrypt would be nice to
have. Unfortunately, I don't think I will have time to implement it in the
forseeable future.
There are quite a few more things that would be nice, like
- creating certs in different formats / with chain included or not
- optionally creating a CSR for use with a different CA
- verifying the certificate chain
- verifying that a certificate actually matches the private key.
I am not sure if these must be in the same package. One could also imagine
a generic certificate helper tool that does these things with an easier
user interface than the openssl tools. And then a different package
(ssl-cert?) could integrate this tool for use by debian packages.
Cheers,
Stefan
Reply to: