Re: Managing SSL certificates
On 10/16/05, sean finney <firstname.lastname@example.org> wrote:
> On Sun, Oct 16, 2005 at 03:59:17PM +0200, Wouter Verhelst wrote:
> > Such a tool would be very nice, and not just because of the cruft they
> > leave behind -- many packages currently support SSL connections; some
> > automatically generate a self-signed certificate upon installation,
> > others leave that to the admin. Some use debconf to ask information for
> > the certificate (or to warn that a certificate has to be generated
> > before SSL will be enabled), some don't.
> > A unified API to clean up this mess would be very interesting.
> i would suggest that in addition to supplying an api, it would be
> very helpful to provide all the debconf templates and maintainer
> script logic as well. i do such an approach in dbconfig-common
I'm not sure if this idea is possible SSL-wise, but I'd be nice to
support the following scenario (I hope it makes sense).
Have a self signed root certificate (A) of which the private part is
not on the server. This would be downloaded and accepted by the user
Have a signed by A server certificate (B) of which the private part is
on the server.
Have a signed by B service certificate (C) of which the private part
is on the server.
The advantage is that C certificates can be automatically generated
and that B and C certificates can be renewed and revoked without the
user having to redownload/reaccept a certificate.