From 2a4512ee828bc148f3532c9a0dc4813aeabf9d7d Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sat, 28 Dec 2002 02:03:20 +0000 Subject: Misc. tweaks. FCS id added. --- doc/Certificates.txt | 46 ++++++++++++++++++++++++++++++++++------------ doc/Email.txt | 11 +++++++---- 2 files changed, 41 insertions(+), 16 deletions(-) (limited to 'doc') diff --git a/doc/Certificates.txt b/doc/Certificates.txt index 8c7acf7..6a71526 100644 --- a/doc/Certificates.txt +++ b/doc/Certificates.txt @@ -1,27 +1,49 @@ -Certificate Authority ---------------------- -CA Certificate is placed in /etc/ssl/certs/ and name closely to CN of -organisation ( s/ /_/g ) appended "_CA.crt". - -CA Key is located in /etc/ssl/private/ named similarly appended -"_CA.key". - -Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy -locating by scripts. +Public Key Infrastructure (PKI) +=============================== Hosts ----- -Host certificates are placed in /etc/ssl/certs/ either named by the -service they provide appended ".pem", or symlinked with that name from +Host certificates can be either self-signed or signed by a CA. The +private key can be either embedded into the same file as the certificate +or in a separate file. + +The simplest form is a self-signed certificate with null-password +embedded key. + +Self-signed host certificates contain both certificate and key in same +file. The file is placed in /etc/ssl/certs/ named by the service it +provides appended ".pem". + +CA signed host certificates , or symlinked with that name from hostname.key or whatever makes best sense in the situation, either with the key embedded or the key at the same place. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. +Certificate Authority +--------------------- +CA Certificates are divided in a public certificate and a private key. + +The CA certificate is placed in /etc/ssl/certs/ and named loosely by the +CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". + +Example: IT_guide_dr_Jones_CA.pem + +CA Key is located in /etc/ssl/private/ equally named. + +Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy +locating by scripts. + +Read here about confusion between commercial CAs and actual security: +http://www.counterpane.com/pki-risks.html + Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. + +-- +$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ diff --git a/doc/Email.txt b/doc/Email.txt index 5adfca6..dc1d5a4 100644 --- a/doc/Email.txt +++ b/doc/Email.txt @@ -1,8 +1,9 @@ Mail Transport Agents (MTA) --------------------------- -Postfix is generally used currently. +Postfix is a good choice as allround MTA: Robust, elegant configuration +logic, extreme scalability. -A pool of Mail eXchange servers are registered in the file +A pool of mail exchange (MX) backup servers is listed in the file /etc/local-COMMON/postfix/permit_mx_backup_networks (/etc/local-COMMON/postfix/mx_networks is deprecated!). @@ -67,6 +68,8 @@ some of the frustrations about getting SASL to work). Run the command `lsof | grep sasl` to make sure. ------------ -Have a look here for an overview of interaction between the above agents -and daemons: +Here's a brief overview of interaction between mail agents and daemons: http://lists.samba.org/pipermail/linux/1999-September/003605.html + +-- +$Id: Email.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ -- cgit v1.2.3