[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Freedombox CA



On Thu, Sep 12, 2013 at 03:06:46PM +0100, Keith wrote:
> After further thought:
> 
> With a CA on each freedombox we could have something like this
> 
> Create a CA using (options used could be changed)
> openssl genrsa -des3 -out "Freedombox CA.key" 4096

Is there any remote change to use a different crypto library/tool
than OpenSSL? I realize that the license issues preclude many
of potential alternatives from inclusion in Debian.

> openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
> "Freedombox CA.pem"
> 
> Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
> bits, could use 4096 bits if Postfix is the MTA used).
> 
> Include in Plinth an option for a freedom box to obtain ssl keys with
> the Freedombox CA. No interface to an external website, openssl can do
> this.
> 
> The public key of the Freedombox CA could be published, to be imported
> into someone else's browser, could be a problem with multiple Freedombox
> CA's with the same name. 
> 
> Possibly a paranoid option to rotate the ssl keys on the freedom box
> running manually and/or as a cron job (Now doing this daily with one of
> my mailservers).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130912/36efa3c3/attachment.sig>


Reply to: