[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Managing SSL certificates

On Sat, 15 Oct 2005, Lars Wirzenius wrote:

> My suggestion would be to create a tool to manage installation and
> removal of certificates. Something like this:
>         update-ssl-certificate --create package servicename
>         update-ssl-certificate --remove package servicename

I think better than yet another complex system to handle reference
counts and stuff all packages should by default just be configured to
use /the/ host certificate.

That is, have all packages that need ssl certs depend on something that
creates /etc/ssl/certs/thishost.pem and /etc/ssl/private/thishost.key
unless they already exist.

Then services should ship with configuration that uses those files
rather than /etc/<randompath><randomfile>

There aren't that many good reasons for having one cert per service
anyway, and this scheme would make things easier for both, packages and
the system administrator.

 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/

Reply to: