Changes between Version 4 and Version 5 of mosh-x509


Ignore:
Timestamp:
Nov 23, 2011, 2:41:13 PM (12 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • mosh-x509

    v4 v5  
    99 * /etc/ssl/HOST.mayfirst.org.crt: contains both the TLS certificate and any required intermediary certificates (server cert first, intermediary second)
    1010 * /etc/ssl/private/HOST.mayfirst.org.pem: contains both the key file and the TLS certificate and any required intermediary certificates (in that order)
     11 * /etc/ssl/HOST.mayfirst.org.csr: certificate signing request, used to request a new certificate when the existing one expires
     12
     13On a new server, puppet will generate /etc/ssl/private/HOST.mayfirst.org.uncertified.key and /etc/ssl/HOST.mayfirst.org.csr. In addition /etc/ssl/HOST.mayfirst.org.crt is create as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/HOST.mayfirst.org.pem is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key.
     14
     15A sysadmin is required to submit the certificate signing request to rapidssl.com (or another vendor). Once the sys admin has the certificate, s/he should replace the symlinked files with the appropriate files (e.g. replace the /etc/ssl/HOST.mayfirst.org.crt symlink with a file containing the actual certificate and any intermediary certificates and delete the /etc/ssl/private/HOST.mayfirst.org.pem symlink, move HOST.mayfirst.org.uncertified.key to HOST.mayfirst.org.pem, and add both the certificate and any intermediary certificates to that file.
    1116
    1217If, for some reason, the MOSH server is using a common name other than HOST.mayfirst.org (e.g. secure.critpath.org is used instead of didier.mayfirst.org), then the files should be named after the common name (secure.critpath.org) and HOST.mayfirst.org should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting.