Re: [Libvir] Certificate management APIs ?
[Apologies also that this is not threaded with the original post]
$HOME/.libvirt/tls/ | +- ca | | | +- cert.pem | +- ca-crl.pem
Note that there are standard locations for CA certs. On my Debian box the standard locations appear to be /etc/ca-certificates.conf and /usr/share/ca-certificates. Not sure yet about Fedora/RHEL. I suppose you hope that people will be using formal CA's rather than their own, or at least have a CA certificate issued by a formal CA from which they can issue their own client & server certs. Rich. -- Red Hat UK Ltd. 64 Baker Street, London, W1U 7DF Mobile: +44 7866 314 421 (will change soon)
On Mon, Jan 15, 2007 at 06:23:35PM +0000, Richard W.M. Jones wrote:
[Apologies also that this is not threaded with the original post]
$HOME/.libvirt/tls/ | +- ca | | | +- cert.pem | +- ca-crl.pem
Note that there are standard locations for CA certs. On my Debian box the standard locations appear to be /etc/ca-certificates.conf and /usr/share/ca-certificates. Not sure yet about Fedora/RHEL.
It looks like /etc/pki or /etc/pki/tls is the equivalent 'standard' directory for Fedora & deritives.
I suppose you hope that people will be using formal CA's rather than their own, or at least have a CA certificate issued by a formal CA from which they can issue their own client & server certs.
At the corporate end I'd expect them to have formal CA & certificate issuing procedures. Most community folks will likely end up just creating a private self-signed CA cert - if we document it, its a fairly trivial command or two to run using openssl, or certtool. If people were really bothered then we could provide a convenience shell script to get started. From my experiance thus far, most of the scary stuff with TLS is that the documentation relating to data you put into x509 certificates is complete rubbish. No one ever really explains what a 'Common Name', 'Organizational Unit' and all the other fields are about. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
Daniel P. Berrange wrote:
At the corporate end I'd expect them to have formal CA & certificate issuing procedures. Most community folks will likely end up just creating a private self-signed CA cert - if we document it, its a fairly trivial command or two to run using openssl, or certtool.
OpenSSL seems to come with a Perl script called CA.pl which actually makes creating a CA and signing certs trivial. Needless to say the documentation for this is very poor (there must be some sort of plot by the OpenSSL/PKI people to make encryption seem unnecessarily complex) but I did find some online documentation for this which unfortunately I can't find again. I'll keep looking ... Rich. -- Red Hat UK Ltd. 64 Baker Street, London, W1U 7DF Mobile: +44 7866 314 421 (will change soon)
Richard W.M. Jones wrote:
Daniel P. Berrange wrote:
At the corporate end I'd expect them to have formal CA & certificate issuing procedures. Most community folks will likely end up just creating a private self-signed CA cert - if we document it, its a fairly trivial command or two to run using openssl, or certtool.
OpenSSL seems to come with a Perl script called CA.pl which actually makes creating a CA and signing certs trivial. Needless to say the documentation for this is very poor (there must be some sort of plot by the OpenSSL/PKI people to make encryption seem unnecessarily complex) but I did find some online documentation for this which unfortunately I can't find again. I'll keep looking ...
This one: http://sandbox.rulemaker.net/ngps/m2/howto.ca.html Rich. -- Red Hat UK Ltd. 64 Baker Street, London, W1U 7DF Mobile: +44 7866 314 421 (will change soon)
Hey, Just one note - dovecot is an example of a server which creates a self-signed server cert in the %post scriptlet of its package. It at least allows people to run the server without doing anything. Anyone who wants a CA signed server cert can install one later. Cheers, Mark.
participants (3)
-
Daniel P. Berrange -
Mark McLoughlin -
Richard W.M. Jones