diff options
Diffstat (limited to 'doc/Certificates.txt')
| -rw-r--r-- | doc/Certificates.txt | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/doc/Certificates.txt b/doc/Certificates.txt index 6a71526..d4a278e 100644 --- a/doc/Certificates.txt +++ b/doc/Certificates.txt @@ -10,40 +10,49 @@ or in a separate file. The simplest form is a self-signed certificate with null-password embedded key. +Beware that passwords for host certificates usually means you will need +to manually start the services. + Self-signed host certificates contain both certificate and key in same file. The file is placed in /etc/ssl/certs/ named by the service it provides appended ".pem". -CA signed host certificates , or symlinked with that name from -hostname.key or whatever makes best sense in the situation, either with -the key embedded or the key at the same place. +CA signed host certificates have separate public (certificate) and +private (key) parts. The certificate is located as with self-signed +ones, and keys are placed in /etc/ssl/private/ named similarly. The script /usr/share/local/localmksslcerts can be used to make self-signed certificates with embedded keys. +Certificates should be chmod'ed 0444 and keys 0400. + Certificate Authority --------------------- CA Certificates are divided in a public certificate and a private key. The CA certificate is placed in /etc/ssl/certs/ and named loosely by the -CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem". +CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.crt". Example: IT_guide_dr_Jones_CA.pem -CA Key is located in /etc/ssl/private/ equally named. +CA key is located in /etc/ssl/private/ equally named. Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy locating by scripts. +More info here: http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml + Read here about confusion between commercial CAs and actual security: http://www.counterpane.com/pki-risks.html +Like with hosts, certificates should be chmod'ed 0444 and keys 0400. + Users ----- Have a look at this web page: http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml -The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. +The script is at /usr/share/local/mycert, adapted to Debian GNU/Linux. -- -$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $ +$Id: Certificates.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $ |