ssl certificates...

[Henning Sprang]

A FAI user who wants to stay anonymous, just sent me this info on
handling ssl keys for servers - secret stuff that might not be good
placed in the configspace.

I did not test it and have no info on it, just posting it as the person
I oit it from must stay anonymous, and it _might_ help somebody.

I'm not putting it into the wiki as I have not tested it and cannot take
care of it - if you have success with this, please put it into the wiki!




=== Installing shelf signed certificates into the FAI ===

For out Linux clients we put our two public SSL certificates into FAI's
fcopy area. The certificates should be installed under
/usr/share/ca-certificates and files with extension ".crt" are
recognized as available certs:

*
files/usr/share/ca-certificates/our-domain.com/root-ca-cert-pem.crt/DEFAULT
* files/usr/share/ca-certificates/our-domain.com/ua-rz-ca-pem.crt/DEFAULT

=== package_config/DEFAULT ===

The class "package_config/DEFAULT" contains the Debian package
"ca-certificates", which is installed on every FAI PC by this way.

=== scripts/DEFAULT/85-rehash-certs ===

The script "scripts/DEFAULT/85-rehash-certs" registers our two
certificates either by using the openssl's "c_rehash"-shellscript or
--if available-- by using the ca-certificates Debian package's
"update-ca-certificate"-shellscript:

ainsl $target/etc/ca-certificates.conf
"our-domain.com/root-ca-cert-pem.crt"
ainsl $target/etc/ca-certificates.conf "our-domain.com/rz-ca-pem.crt"
if [ -x $target/usr/sbin/update-ca-certificates ]; then
  chroot $target update-ca-certificates
else
  chroot $target /usr/bin/c_rehash /etc/ssl/certs
fi

Es waere prima, wenn Du oder jemand aus dem FAI Projekt das bei
Gelegenheit zur Dokumentation in die FAI-Mailingliste oder in das
FAI-Wiki stellen koennte. Vielleicht ist es auch fuer andere
FAI-Anwender nuetlich..