Changes between Version 11 and Version 12 of mosh-x509


Ignore:
Timestamp:
Aug 15, 2016, 9:29:47 AM (3 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • mosh-x509

    v11 v12  
    1111 * /etc/ssl/HOST.mayfirst.org.crt: contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
    1212 * /etc/ssl/private/HOST.mayfirst.org.pem: contains the key file, the EE certificate, and any required intermediary certificates (in that order)
    13  * /etc/ssl/HOST.mayfirst.org.csr: certificate signing request (CSR), used to request a new certificate when the existing one expires
     13 
     14These files are all symlinks to the actual files in the /etc/letsencrypt/live hierarchy.
    1415
    15 On a new server, puppet will generate a 2048-bit RSA key as /etc/ssl/private/HOST.mayfirst.org.uncertified.key and /etc/ssl/HOST.mayfirst.org.csr. In addition /etc/ssl/HOST.mayfirst.org.crt is created as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/HOST.mayfirst.org.pem is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key. These symlinks are created to ensure that services that rely on them are properly started.
     16On a new MOSH server [wiki:configure-mosh-x509 configured to use letsencrypt], puppet will generate all needed files and symlinks
    1617
    17 A sysadmin is required to submit the CSR to a [wiki:ordering-cartel-x509-certificates company that provides x509 certs]. Once the sysadmin has the certificate, s/he should replace the symlinked files with the appropriate files:
    18  * replace the /etc/ssl/HOST.mayfirst.org.crt symlink with a file containing the actual certificate and any intermediary certificates
    19  * delete the /etc/ssl/private/HOST.mayfirst.org.pem symlink
    20  * move /etc/ssl/private/HOST.mayfirst.org.uncertified.key to /etc/ssl/private/HOST.mayfirst.org.pem
    21  * append both the certificate and any intermediary certificates to /etc/ssl/private/HOST.mayfirst.org.pem
    22  * restart apache2, postfix, courier-imap-ssl and courier-pop-ssl
    23 
    24 If, for some reason, the MOSH server is using a common name other than HOST.mayfirst.org (e.g. secure.critpath.org is used instead of didier.mayfirst.org), then the files should be named after the common name (secure.critpath.org) and HOST.mayfirst.org should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting.
    2518
    2619= Service configuration =