--- Mike Jackson <mj at sci.fi> wrote: > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > > certs for various clients. I also need a way to implement CRL somehow, in case a box is > > comprosmised. > > Your clients don't need certificates, they only need a copy of your root > CA cert - the same file for every client. right, I think I was confused on that point. I meant to say that I don't want to deploy the CA cert to dozens of clients. So, forget the CRL, then... Because we have about 60 servers total. Now, /etc/openldap/cacerts/ is writable by root only and I'd have to do some serious expect/perl scripting to ssh into every machine, accept the key, su - root, scp the CA cert, log out. I really don't want to do this if I don't have to. So, are you saying I can use openSSL + linux openldap client to do this automagically? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
