Difference between revisions of "SSL"
m |
|||
| Line 11: | Line 11: | ||
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key. | A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key. | ||
| − | * caffeine:/etc/ssl/private/csclub-wildcard.crt | + | * caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache) |
| − | * mail:/etc/ssl/private/csclub-wildcard.crt | + | * mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot) |
| − | * artificial-flavours:/etc/ssl/private/csclub | + | * auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd) |
| + | * artificial-flavours:/etc/ssl/private/csclub-wildcard.crt (for Apache and slapd) | ||
Revision as of 17:16, 8 October 2013
GlobalSign
The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.
JBROMAN WILL EXPAND THIS
Certificate Location
Keep a copy of newly generated certificates in /home/sysadmin/certs on the NFS server (currently aspartame).
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.
- caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
- mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
- auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)
- artificial-flavours:/etc/ssl/private/csclub-wildcard.crt (for Apache and slapd)