On 10/16/05, sean finney <[EMAIL PROTECTED]> wrote: > On Sun, Oct 16, 2005 at 03:59:17PM +0200, Wouter Verhelst wrote: > > Such a tool would be very nice, and not just because of the cruft they > > leave behind -- many packages currently support SSL connections; some > > automatically generate a self-signed certificate upon installation, > > others leave that to the admin. Some use debconf to ask information for > > the certificate (or to warn that a certificate has to be generated > > before SSL will be enabled), some don't. > > > > A unified API to clean up this mess would be very interesting. > > i would suggest that in addition to supplying an api, it would be > very helpful to provide all the debconf templates and maintainer > script logic as well. i do such an approach in dbconfig-common
I'm not sure if this idea is possible SSL-wise, but I'd be nice to support the following scenario (I hope it makes sense). Have a self signed root certificate (A) of which the private part is not on the server. This would be downloaded and accepted by the user once. Have a signed by A server certificate (B) of which the private part is on the server. Have a signed by B service certificate (C) of which the private part is on the server. The advantage is that C certificates can be automatically generated and that B and C certificates can be renewed and revoked without the user having to redownload/reaccept a certificate.