Vertigo/Services/Certificate
Posted by rto on 2009-02-05 00:10:21.685261,

vertigo-certificate

Creates and updates certificates for domains, also maintains a CA (Certificate Authority) certificate for self-signing certificates.

It does not maintain configuration files for using the certificates, but only for generating them.

This is not done in a very securely manner, when more than one server is used, the certificates (including private keys) are shared over the network. Also, to keep from having to "manually" sign the certificates, they are not encrypted in any way.

Will be (or already has been) introduced in release 0.6.4.

Directories

  • certificates The directory for containing the generated certifices, along with the corresponding keys. It is normally set to /etc/vertigo/certificates - this directory should be shared (e.g. using NFS) such that all servers can use the certificates to provide an encrypted channel for their services.

Variables

  • CA Organization Is the organization that maintains the CA authority, e.g. "Infonet".
  • CA Organizational Unit The unit within the organization maintaining the CA authority, e.g. "CA".
  • CA Country Code The 2-letter country code where the CA is located, e.g. "DK".
  • CA Locality A more specific locality, for US people this is the state, for the rest of us we just use the city, e.g. "Randers".
  • CA Common Name The common name for this CA, for certificates for domains, this is the domain name (including an optional sub-domain), but for the CA this is the "name" of the certificate, e.g. "Infonet CA".
  • CA Email Address The email address that should be associated with the CA certificate.

Files

  • CA key is the filename of the private CA key, this should be located in a non-networked available place, that is only readable (and writable) by root, e.g. /etc/vertigo/ca/ca.key
  • CA certificate The CA certificate, this is the CA keys accompanying certificate, this should be placed somewhere such that the users of the Vertigo controlled domains can install it in their programs to verify the authenticity of the generated certificates, somewhere like /var/www/infonet.dk/ca/ca.cert should be adequate.
  • CA serial number Each certificate must have a unique serial number, this file maintains a running counter for the next serial number. Defaults to /var/lib/vertigo/ca_serial_number

Comments (0)

Post comment

If you wish, you can use markdown syntax in the comment field.