Before Debian, what Linux distribution you were using ?
Red Hat / Fedora Mandrake Suse Slackware Gentoo LFS Always been with Debian Other ( 66 votes ~ 5 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Creating and Using a self signed SSL Certificates in debian:
#3 Re: Creating and Using a self signed SSL Certificates in debian Posted by dkg (216.254.xx.xx) on Fri 4 Nov 2005 at 04:20 Awesome article. Thanks for collecting all these pieces in a single place. I've found that tinyca (debian package info) is a decent tool for prompting you for most of the relevant pieces of information you might need, especially if signing cert requests is something you do infrequently enough that you forget the exact details. A good secure configuration is to run tinyCA on a dedicated old machine which never connects to the net. You can then import the certificate requests with a USB key or floppy disk, sign them on the isolated machine, and return the new certs via the same removable medium. To future-proof your article: you might want to consider increasing the default bit length of your keypair in openssl.cnf, assuming your TLS-enabled server is running reasonable hardware. openssh (which uses different PKI infrastructure, but similar math) just increased default key length to 2048 with version 4.2. The one final missing piece would be to write up something comparably detailed about Certificate Revocation and how to manage, create, and distribute Certificate Revocation Lists using debian tools. if i get a chance, i'll try to write up something on that for this site.
I've found that tinyca (debian package info) is a decent tool for prompting you for most of the relevant pieces of information you might need, especially if signing cert requests is something you do infrequently enough that you forget the exact details. A good secure configuration is to run tinyCA on a dedicated old machine which never connects to the net. You can then import the certificate requests with a USB key or floppy disk, sign them on the isolated machine, and return the new certs via the same removable medium.
To future-proof your article: you might want to consider increasing the default bit length of your keypair in openssl.cnf, assuming your TLS-enabled server is running reasonable hardware. openssh (which uses different PKI infrastructure, but similar math) just increased default key length to 2048 with version 4.2.
The one final missing piece would be to write up something comparably detailed about Certificate Revocation and how to manage, create, and distribute Certificate Revocation Lists using debian tools. if i get a chance, i'll try to write up something on that for this site.
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
