On Mon, Jan 15, 2007 at 06:23:35PM +0000, Richard W.M. Jones wrote:
[Apologies also that this is not threaded with the original post]
> $HOME/.libvirt/tls/
> |
> +- ca
> | |
> | +- cert.pem
> | +- ca-crl.pem
Note that there are standard locations for CA certs. On my Debian box
the standard locations appear to be /etc/ca-certificates.conf and
/usr/share/ca-certificates. Not sure yet about Fedora/RHEL.
It looks like /etc/pki or /etc/pki/tls is the equivalent 'standard'
directory for Fedora & deritives.
I suppose you hope that people will be using formal CA's rather
than
their own, or at least have a CA certificate issued by a formal CA from
which they can issue their own client & server certs.
At the corporate end I'd expect them to have formal CA & certificate issuing
procedures. Most community folks will likely end up just creating a private
self-signed CA cert - if we document it, its a fairly trivial command or
two to run using openssl, or certtool. If people were really bothered then
we could provide a convenience shell script to get started. From my
experiance thus far, most of the scary stuff with TLS is that the documentation
relating to data you put into x509 certificates is complete rubbish. No
one ever really explains what a 'Common Name', 'Organizational Unit' and
all the other fields are about.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|