Difference between revisions of "SSL"

From CSCWiki
Jump to navigation Jump to search
m
Line 11: Line 11:
 
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.
 
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.
  
* caffeine:/etc/ssl/private/csclub-wildcard.crt
+
* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* mail:/etc/ssl/private/csclub-wildcard.crt
+
* mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
* artificial-flavours:/etc/ssl/private/csclub-www-globalsign-wildcard.crt
+
* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)
 +
* artificial-flavours:/etc/ssl/private/csclub-wildcard.crt (for Apache and slapd)

Revision as of 17:16, 8 October 2013

GlobalSign

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

JBROMAN WILL EXPAND THIS

Certificate Location

Keep a copy of newly generated certificates in /home/sysadmin/certs on the NFS server (currently aspartame).

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

  • caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
  • mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
  • auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)
  • artificial-flavours:/etc/ssl/private/csclub-wildcard.crt (for Apache and slapd)