Changes between Version 7 and Version 8 of mosh-x509


Ignore:
Timestamp:
Nov 23, 2011, 3:50:23 PM (12 years ago)
Author:
Daniel Kahn Gillmor
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • mosh-x509

    v7 v8  
    1 = How are x509 certificates and key files handled on MOSH servers? =
     1= How are X.509 certificates and key files handled on MOSH servers? =
    22
    33[wiki:MOSH MOSH servers] are configured to provide apache, postfix and courier services on a single server.
    44
    5 All three programs rely on the same x509 certificates and the same keys, however, they reference these keys in three different ways.
     5All three programs rely on the same X.509 certificates and the same keys, however, they reference these keys in three different ways.
    66
    77All MOSH servers should have the following files:
    88
    9  * /etc/ssl/HOST.mayfirst.org.crt: contains both the TLS certificate and any required intermediary certificates (server cert first, intermediary second)
    10  * /etc/ssl/private/HOST.mayfirst.org.pem: contains both the key file and the TLS certificate and any required intermediary certificates (in that order)
    11  * /etc/ssl/HOST.mayfirst.org.csr: certificate signing request, used to request a new certificate when the existing one expires
     9 * /etc/ssl/HOST.mayfirst.org.crt: contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
     10 * /etc/ssl/private/HOST.mayfirst.org.pem: contains the key file, the EE certificate, and any required intermediary certificates (in that order)
     11 * /etc/ssl/HOST.mayfirst.org.csr: certificate signing request (CSR), used to request a new certificate when the existing one expires
    1212
    13 On a new server, puppet will generate /etc/ssl/private/HOST.mayfirst.org.uncertified.key and /etc/ssl/HOST.mayfirst.org.csr. In addition /etc/ssl/HOST.mayfirst.org.crt is created as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/HOST.mayfirst.org.pem is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key. These symlinks are created to ensure that services that rely on them are properly started.
     13On a new server, puppet will generate a 2048-bit RSA key as /etc/ssl/private/HOST.mayfirst.org.uncertified.key and /etc/ssl/HOST.mayfirst.org.csr. In addition /etc/ssl/HOST.mayfirst.org.crt is created as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/HOST.mayfirst.org.pem is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key. These symlinks are created to ensure that services that rely on them are properly started.
    1414
    15 A sysadmin is required to submit the certificate signing request to rapidssl.com (or another vendor). Once the sys admin has the certificate, s/he should replace the symlinked files with the appropriate files:
     15A sysadmin is required to submit the CSR to rapidssl.com (or another member of the CA cartel). Once the sysadmin has the certificate, s/he should replace the symlinked files with the appropriate files:
    1616 * replace the /etc/ssl/HOST.mayfirst.org.crt symlink with a file containing the actual certificate and any intermediary certificates
    1717 * delete the /etc/ssl/private/HOST.mayfirst.org.pem symlink