comment about setupssl.sh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Susan wrote:
> I was looking through the script from the wiki and I saw this line:
>
> ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" .....
>
> Wouldn't it be better to change that to -n "`hostname`" or something like that because when you
> create certs for multiple servers, they all end up being called Server-Cert which causes
> confusion.
>
> What do you guys think?
>   
setupssl.sh was created in order to create only 3 certs - the initial CA 
cert, the initial DS cert, and the initial AS cert.  It uses Server-Cert 
for DS and server-cert for AS because that is what the defaults are for 
those servers.  If you do not use those names (and the server cannot 
automatically discover an appropriate cert to use), you will have to 
change the server SSL configuration.

There needs to be a script that you can use to generate multiple 
key/cert pairs for multiple hosts, using your CA key/cert.

One solution would be to change setupssl.sh to accept a list of FQDNs 
for which to create DS and AS certs.  Then you could just create all of 
the key/cert databases at once, and just copy them to the 
/opt/fedora-ds/alias directory on each machine.

Another solution would be to change setupssl.sh to be run on each 
machine.  The first time you run it on your first machine, it would 
create a key/cert db for the CA only in addition to key/cert dbs for the 
DS and the AS.  Then you would just copy the CA key/cert db and the 
setupssl.sh script to each machine and run it there.
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060329/bfc7f657/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux