diff options
Diffstat (limited to 'doc/Certificates.txt')
-rw-r--r-- | doc/Certificates.txt | 46 |
1 files changed, 34 insertions, 12 deletions
diff --git a/doc/Certificates.txt b/doc/Certificates.txt index 8c7acf7..6a71526 100644 --- a/doc/Certificates.txt +++ b/doc/Certificates.txt @@ -1,27 +1,49 @@ -Certificate Authority ---------------------- -CA Certificate is placed in /etc/ssl/certs/ and name closely to CN of -organisation ( s/ /_/g ) appended "_CA.crt". - -CA Key is located in /etc/ssl/private/ named similarly appended -"_CA.key". - -Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy -locating by scripts. +Public Key Infrastructure (PKI) +=============================== Hosts ----- -Host certificates are placed in /etc/ssl/certs/ either named by the -service they provide appended ".pem", or symlinked with that name from +Host certificates can be either self-signed or signed by a CA. The +private key can be either embedded into the same file as the certificate +or in a separate file. + +The simplest form is a self-signed certificate with null-password +embedded key. + +Self-signed host certificates contain both certificate and key in same +file. The file is placed in /etc/ssl/certs/ named by the service it +provides appended ".pem". + +CA signed host certificates , or symlinked with that name from hostname.key or whatever makes best sense in the situation, either with the key embedded or the key at the same place. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. +Certificate Authority +--------------------- +CA Certificates are divided in a public certificate and a private key. + +The CA certificate is placed in /etc/ssl/certs/ and named loosely by the +CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". + +Example: IT_guide_dr_Jones_CA.pem + +CA Key is located in /etc/ssl/private/ equally named. + +Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy +locating by scripts. + +Read here about confusion between commercial CAs and actual security: +http://www.counterpane.com/pki-risks.html + Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. + +-- +$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ |