[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Managing SSL certificates

With my testing of packages in etch with piuparts[1], I occasionally run
into a problem that occurs in many packages in the same way. One such
problem is the creation and deletion of SSL certificates for various
services (imaps, https, etc). At the moment, the packages tend to create
the certificate automatically on installation, if it isn't there
already, and not remove it when the package is purged. This leaves cruft
on the filesystem.

A couple of problematic scenarios that have been brought up:

        * What if the sysadmin modifies the certificate? For example,
        they might add a signature from a CA, or replace it with a
        completely new one.
        * What if the certificate is shared by several packages?
There are probably others.

In my opinion, it would be nice to be clean about these certificates so
that if I install a package and then purge it, without touching the
certificate in any way, it is removed with the package. While the amount
of cruft left behind by these files is pretty small, it's still cruft.

My suggestion would be to create a tool to manage installation and
removal of certificates. Something like this:

        update-ssl-certificate --create package servicename
        update-ssl-certificate --remove package servicename

With these commands the appropriate certificate (base name
"servicename") is created (unless it exists) and removed (if it hasn't
been modified in any way, and isn't shared). If the certificate already
existed, the package's use of it is recorded, in effect, a reference
count is increased. Similarly, the reference count is reduced with
--remove, and if it drops to zero, the file is finally removed.

The commands keep track (via checksums, or something) whether the
sysadmin has manually modified the certificates. The sysadmin should not
have to use any special commands inform this subsystem about certificate

Now, I don't actually understand much about SSL certificates. There
might be something seriously wrong with my suggestion. Please tell me,
if so.

If the basic approach is valid, I'd be happy to write the tool and work
with the relevant packagers to get it used. Most of it is quite simple,
the certificate generation part can probably be snarfed from an existing

[1] http://packages.debian.org/unstable/devel/piuparts

/* The following line has been commented out */

Reply to: