[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using the SSL snakeoil certificate

On Thu, Jul 20, 2006 at 11:24:34AM +0200, Martin Schulze wrote:

> Hence, I propose to stay with virtual per-service certificates, but to
> link them to the common snakeoil certificate from ssl-certificates
> during configuration and only if there is no other setting.
> For example:
>   Dovecot uses </etc/ssl/certs/dovecot.pem>.
>   This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
>   the above file or link does not exist during configuration of
>   dovecot.
> That way, the admin can easily replace the symlink with a real
> certificate if they want per-service certificates.
> If, however, they want to have one real certificate for everything,
> they can replace the snakeoil certificate like Martin Pitt proposed.

This would be a great improvement.  I'd suggest one more level of
symlinks.  Have the individual services symlink to
/etc/ssl/certs/ssl-cert-site.pem, which is then symlinked to
ssl-cert-snakeoil.pem.  When/if the local admin installs an actual
site-wide certificate, updating the one ssl-cert-site.pem symlink will
update all of the individual services using the the site cert, and the
snakeoil cert is still available if you ever need to fail back to it.


Reply to: