Re: Using the SSL snakeoil certificate
On Thu, Jul 20, 2006 at 11:24:34AM +0200, Martin Schulze wrote:
> Hence, I propose to stay with virtual per-service certificates, but to
> link them to the common snakeoil certificate from ssl-certificates
> during configuration and only if there is no other setting.
> For example:
> Dovecot uses </etc/ssl/certs/dovecot.pem>.
> This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
> the above file or link does not exist during configuration of
> That way, the admin can easily replace the symlink with a real
> certificate if they want per-service certificates.
> If, however, they want to have one real certificate for everything,
> they can replace the snakeoil certificate like Martin Pitt proposed.
This would be a great improvement. I'd suggest one more level of
symlinks. Have the individual services symlink to
/etc/ssl/certs/ssl-cert-site.pem, which is then symlinked to
ssl-cert-snakeoil.pem. When/if the local admin installs an actual
site-wide certificate, updating the one ssl-cert-site.pem symlink will
update all of the individual services using the the site cert, and the
snakeoil cert is still available if you ever need to fail back to it.