[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Certificate management APIs ?



On Mon, Jan 15, 2007 at 06:23:35PM +0000, Richard W.M. Jones wrote:
> [Apologies also that this is not threaded with the original post]
> 
> > $HOME/.libvirt/tls/
> >      |
> >      +- ca
> >      |  |
> >      |  +- cert.pem
> >      |  +- ca-crl.pem
> 
> Note that there are standard locations for CA certs.  On my Debian box 
> the standard locations appear to be /etc/ca-certificates.conf and 
> /usr/share/ca-certificates.  Not sure yet about Fedora/RHEL.

It looks like /etc/pki or /etc/pki/tls is the equivalent 'standard'
directory for Fedora & deritives.

> I suppose you hope that people will be using formal CA's rather than 
> their own, or at least have a CA certificate issued by a formal CA from 
> which they can issue their own client & server certs.

At the corporate end I'd expect them to have formal CA & certificate issuing
procedures. Most community folks will likely end up just creating a private
self-signed CA cert - if we document it, its a fairly trivial command or
two to run using openssl, or certtool. If people were really bothered then
we could provide a convenience shell script to get started. From my 
experiance thus far, most of the scary stuff with TLS is that the documentation
relating to data you put into x509 certificates is complete rubbish. No
one ever really explains what a 'Common Name', 'Organizational Unit' and
all the other fields are about.
 
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]