diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-12-31 02:31:21 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-12-31 02:31:21 +0000 |
| commit | 8a22684953d6128de78d6ab958dca28f9f3807e6 (patch) | |
| tree | 3559a76bd0915a71b83a43ec7dc211d8050ca17b /doc | |
| parent | 68ac1652d1cf7a49f595091acc5b3e438507cd8d (diff) | |
Change to using only .pem extension for certificates, and misc. other changes.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Certificates.txt | 23 | ||||
| -rw-r--r-- | doc/Email.txt | 4 |
2 files changed, 19 insertions, 8 deletions
diff --git a/doc/Certificates.txt b/doc/Certificates.txt index 6a71526..d4a278e 100644 --- a/doc/Certificates.txt +++ b/doc/Certificates.txt @@ -10,40 +10,49 @@ or in a separate file. The simplest form is a self-signed certificate with null-password embedded key. +Beware that passwords for host certificates usually means you will need +to manually start the services. + Self-signed host certificates contain both certificate and key in same file. The file is placed in /etc/ssl/certs/ named by the service it provides appended ".pem". -CA signed host certificates , or symlinked with that name from -hostname.key or whatever makes best sense in the situation, either with -the key embedded or the key at the same place. +CA signed host certificates have separate public (certificate) and +private (key) parts. The certificate is located as with self-signed +ones, and keys are placed in /etc/ssl/private/ named similarly. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. +Certificates should be chmod'ed 0444 and keys 0400. + Certificate Authority --------------------- CA Certificates are divided in a public certificate and a private key. The CA certificate is placed in /etc/ssl/certs/ and named loosely by the -CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". +CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.crt". Example: IT_guide_dr_Jones_CA.pem -CA Key is located in /etc/ssl/private/ equally named. +CA key is located in /etc/ssl/private/ equally named. Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy locating by scripts. +More info here: http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml + Read here about confusion between commercial CAs and actual security: http://www.counterpane.com/pki-risks.html +Like with hosts, certificates should be chmod'ed 0444 and keys 0400. + Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml -The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. +The script is at /usr/share/local/mycert, adapted to Debian GNU/Linux. -- -$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ +$Id: Certificates.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $ diff --git a/doc/Email.txt b/doc/Email.txt index dc1d5a4..e633e01 100644 --- a/doc/Email.txt +++ b/doc/Email.txt @@ -14,6 +14,8 @@ MX backup pool, (maybe) pop-before-smtp and other tweaks. Postfix 2.0.1 has just come out, with improved responses when emails are blocked by RBLs: http://www.rfc-ignorant.org/how_to_domain.php +More about TLS in postfix: http://rr.sans.org/email/TLS.php + Read this about generally encrypting emails between MTAs whenever possible: http://www.homeport.org/~adam/starttls.html @@ -72,4 +74,4 @@ Here's a brief overview of interaction between mail agents and daemons: http://lists.samba.org/pipermail/linux/1999-September/003605.html -- -$Id: Email.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ +$Id: Email.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $ |