blob: d4a278e3f486c6c2dc5f29d8f05d1adec7852799 (
plain)
- Public Key Infrastructure (PKI)
- ===============================
- Hosts
- -----
- Host certificates can be either self-signed or signed by a CA. The
- private key can be either embedded into the same file as the certificate
- or in a separate file.
- The simplest form is a self-signed certificate with null-password
- embedded key.
- Beware that passwords for host certificates usually means you will need
- to manually start the services.
- Self-signed host certificates contain both certificate and key in same
- file. The file is placed in /etc/ssl/certs/ named by the service it
- provides appended ".pem".
- CA signed host certificates have separate public (certificate) and
- private (key) parts. The certificate is located as with self-signed
- ones, and keys are placed in /etc/ssl/private/ named similarly.
- The script /usr/share/local/localmksslcerts can be used to make
- self-signed certificates with embedded keys.
- Certificates should be chmod'ed 0444 and keys 0400.
- Certificate Authority
- ---------------------
- CA Certificates are divided in a public certificate and a private key.
- The CA certificate is placed in /etc/ssl/certs/ and named loosely by the
- CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.crt".
- Example: IT_guide_dr_Jones_CA.pem
- CA key is located in /etc/ssl/private/ equally named.
- Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy
- locating by scripts.
- More info here: http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml
- Read here about confusion between commercial CAs and actual security:
- http://www.counterpane.com/pki-risks.html
- Like with hosts, certificates should be chmod'ed 0444 and keys 0400.
- Users
- -----
- Have a look at this web page:
- http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml
- The script is at /usr/share/local/mycert, adapted to Debian GNU/Linux.
- --
- $Id: Certificates.txt,v 1.3 2002-12-31 02:31:21 jonas Exp $
|
