Hi Daniel, On Sun, 6 Mar 2016, Daniel Pocock wrote: > Should the make-ssl-cert script continue doing the same thing, creating > Snakeoil certs only?
At least by default, it should. There are quite a few systems that don't have outside network connection, people may want to use different CAs, etc. > Or should it be extended to give the user the option of using > letsencrypt? If this is added, any packages already relying on > make-ssl-cert will automatically be configured with letsencrypt > > Some discussion of Let's Encrypt and related issues occurred here: > https://lists.debian.org/debian-devel/2015/08/msg00007.html I agree that having supporting logic for Let's Encrypt would be nice to have. Unfortunately, I don't think I will have time to implement it in the forseeable future. There are quite a few more things that would be nice, like - creating certs in different formats / with chain included or not - optionally creating a CSR for use with a different CA - verifying the certificate chain - verifying that a certificate actually matches the private key. I am not sure if these must be in the same package. One could also imagine a generic certificate helper tool that does these things with an easier user interface than the openssl tools. And then a different package (ssl-cert?) could integrate this tool for use by debian packages. Cheers, Stefan
