ssl certificates...
Henning Sprang
henning_sprang at gmx.de
Thu Nov 15 13:26:59 CET 2007
A FAI user who wants to stay anonymous, just sent me this info on
handling ssl keys for servers - secret stuff that might not be good
placed in the configspace.
I did not test it and have no info on it, just posting it as the person
I oit it from must stay anonymous, and it _might_ help somebody.
I'm not putting it into the wiki as I have not tested it and cannot take
care of it - if you have success with this, please put it into the wiki!
=== Installing shelf signed certificates into the FAI ===
For out Linux clients we put our two public SSL certificates into FAI's
fcopy area. The certificates should be installed under
/usr/share/ca-certificates and files with extension ".crt" are
recognized as available certs:
*
files/usr/share/ca-certificates/our-domain.com/root-ca-cert-pem.crt/DEFAULT
* files/usr/share/ca-certificates/our-domain.com/ua-rz-ca-pem.crt/DEFAULT
=== package_config/DEFAULT ===
The class "package_config/DEFAULT" contains the Debian package
"ca-certificates", which is installed on every FAI PC by this way.
=== scripts/DEFAULT/85-rehash-certs ===
The script "scripts/DEFAULT/85-rehash-certs" registers our two
certificates either by using the openssl's "c_rehash"-shellscript or
--if available-- by using the ca-certificates Debian package's
"update-ca-certificate"-shellscript:
ainsl $target/etc/ca-certificates.conf
"our-domain.com/root-ca-cert-pem.crt"
ainsl $target/etc/ca-certificates.conf "our-domain.com/rz-ca-pem.crt"
if [ -x $target/usr/sbin/update-ca-certificates ]; then
chroot $target update-ca-certificates
else
chroot $target /usr/bin/c_rehash /etc/ssl/certs
fi
Es waere prima, wenn Du oder jemand aus dem FAI Projekt das bei
Gelegenheit zur Dokumentation in die FAI-Mailingliste oder in das
FAI-Wiki stellen koennte. Vielleicht ist es auch fuer andere
FAI-Anwender nuetlich..
More information about the linux-fai
mailing list