[clue-admin] Cert for TLS.
David L. Anselmi
anselmi at anselmi.us
Sat Jul 8 22:45:09 MDT 2006
Jed S. Baer wrote:
[...]
> Anyways, it's back on. But I think we should generate a self-signed cert.
> I have the instructions for that someplace, I think. Falls into my plate I
> guess.
So you'll just make a key pair and sign the cert with that private key,
right? As opposed to making a CA key pair (self-signing the CA cert)
and signing the server's cert with the CA key.
The former is good enough, I think, especially if it's only admins who
have any reason to use it.
The latter allows you to publish the CA cert so people can install it in
their browser and avoid warnings.
OpenVPN has some scripts (and there are probably lots of other
implementations) that allow the latter without much effort. But the
latter requires protection of the CA key, both from unauthorized use and
from loss (we only want one person to have it so it isn't misused but we
want all the admins to have it so it doesn't get lost).
No, the latter isn't worth the effort. But I think it's a more
interesting problem to work on than setting up a Jabber server. ;-)
If you want me to pull the relevant parts out of the OpenVPN scripts,
let me know.
Dave
More information about the clue-admin
mailing list