[Fedora-directory-users] comment about setupssl.sh
Richard Megginson
rmeggins at redhat.com
Wed Mar 29 18:39:32 UTC 2006
Susan wrote:
> I was looking through the script from the wiki and I saw this line:
>
> ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" .....
>
> Wouldn't it be better to change that to -n "`hostname`" or something like that because when you
> create certs for multiple servers, they all end up being called Server-Cert which causes
> confusion.
>
> What do you guys think?
>
setupssl.sh was created in order to create only 3 certs - the initial CA
cert, the initial DS cert, and the initial AS cert. It uses Server-Cert
for DS and server-cert for AS because that is what the defaults are for
those servers. If you do not use those names (and the server cannot
automatically discover an appropriate cert to use), you will have to
change the server SSL configuration.
There needs to be a script that you can use to generate multiple
key/cert pairs for multiple hosts, using your CA key/cert.
One solution would be to change setupssl.sh to accept a list of FQDNs
for which to create DS and AS certs. Then you could just create all of
the key/cert databases at once, and just copy them to the
/opt/fedora-ds/alias directory on each machine.
Another solution would be to change setupssl.sh to be run on each
machine. The first time you run it on your first machine, it would
create a key/cert db for the CA only in addition to key/cert dbs for the
DS and the AS. Then you would just copy the CA key/cert db and the
setupssl.sh script to each machine and run it there.
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060329/bfc7f657/attachment.bin>
More information about the Fedora-directory-users
mailing list