* Herman Robak ([EMAIL PROTECTED]) [040829 12:46]: > Suggested solution > > During installation, a CA will be created. Maybe before all the SSL- > enabled servers are installed, maybe after; that depends on how we > aim to solve the certificate signing. > If the CA is in place _before_ the SSL-enabled servers, they can > have a pre-install script generate a signing request. If the CA > responds, and signs the request, the server gets a properly signed > certificate. If not, it can fall back to a self-signed certificate. > dpkg-reconfigure ought to repeat this process, in case the CA was > not working at install time. > Design consideration: The servers could "pull" their certificates > by sending a signing request, or the CA could "push" by putting the > certificate and the private key in a predetermined place.
are you working on this? it is an important bit of infrastructure and needs care and dedication over some time. I would certainly appreciate it if you could commit to it.
