From 8a22684953d6128de78d6ab958dca28f9f3807e6 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 31 Dec 2002 02:31:21 +0000 Subject: Change to using only .pem extension for certificates, and misc. other changes. --- doc/Certificates.txt | 23 ++++++++++++++++------- doc/Email.txt | 4 +++- 2 files changed, 19 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/Certificates.txt b/doc/Certificates.txt index 6a71526..d4a278e 100644 --- a/doc/Certificates.txt +++ b/doc/Certificates.txt @@ -10,40 +10,49 @@ or in a separate file. The simplest form is a self-signed certificate with null-password embedded key. +Beware that passwords for host certificates usually means you will need +to manually start the services. + Self-signed host certificates contain both certificate and key in same file. The file is placed in /etc/ssl/certs/ named by the service it provides appended ".pem". -CA signed host certificates , or symlinked with that name from -hostname.key or whatever makes best sense in the situation, either with -the key embedded or the key at the same place. +CA signed host certificates have separate public (certificate) and +private (key) parts. The certificate is located as with self-signed +ones, and keys are placed in /etc/ssl/private/ named similarly. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. +Certificates should be chmod'ed 0444 and keys 0400. + Certificate Authority --------------------- CA Certificates are divided in a public certificate and a private key. The CA certificate is placed in /etc/ssl/certs/ and named loosely by the -CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". +CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.crt". Example: IT_guide_dr_Jones_CA.pem -CA Key is located in /etc/ssl/private/ equally named. +CA key is located in /etc/ssl/private/ equally named. Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy locating by scripts. +More info here: http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml + Read here about confusion between commercial CAs and actual security: http://www.counterpane.com/pki-risks.html +Like with hosts, certificates should be chmod'ed 0444 and keys 0400. + Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml -The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. +The script is at /usr/share/local/mycert, adapted to Debian GNU/Linux. -- -$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ +$Id: Certificates.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $ diff --git a/doc/Email.txt b/doc/Email.txt index dc1d5a4..e633e01 100644 --- a/doc/Email.txt +++ b/doc/Email.txt @@ -14,6 +14,8 @@ MX backup pool, (maybe) pop-before-smtp and other tweaks. Postfix 2.0.1 has just come out, with improved responses when emails are blocked by RBLs: http://www.rfc-ignorant.org/how_to_domain.php +More about TLS in postfix: http://rr.sans.org/email/TLS.php + Read this about generally encrypting emails between MTAs whenever possible: http://www.homeport.org/~adam/starttls.html @@ -72,4 +74,4 @@ Here's a brief overview of interaction between mail agents and daemons: http://lists.samba.org/pipermail/linux/1999-September/003605.html -- -$Id: Email.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ +$Id: Email.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $ -- cgit v1.2.3