As an FYI, we use cacert.org a lot for "internal" SSL certs. I'm pretty happy with them, and they send emails as well.
-- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration -ray wrote: > At one time i had a perl Net::SSL script that would check the expiration > on our boxes, and send a reminder. I don't use it anymore, but can try to > dig it up if you need it. > > We used MPKI from Verisign for a while, which would also send email > reminders. And from the MPKI console, I could do a search on which certs > would expire this month, etc. > > I've since switched our certs to IPSCA (http://certs.ipsca.com/). They > offer free certs for edu domains. The intermediate cert is a pain, but > works fine. We have a wildcard cert for *.selu.edu. Not great for > security, but sure does make installing SSL on a new box pretty easy. > They're all gonna expire on the same day, so that's a good reminder too. > :) > > ray > > > On Mon, 26 Nov 2007, Dustin Puryear wrote: > >> So, a little issue I see a lot is that SSL cert files seem to go >> everywhere. I may see some under /var/shared/ssl/certs/, some under >> application-specific directories (e.g., /etc/httpd/conf/ssl.*/, >> /etc/ldap/), etc. >> >> What are your thoughts on: >> >> 1. Putting all certs under a standardized location, e.g., >> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for a >> little more security. >> >> 2. Keeping them in application-specific areas. >> >> Also, how are you keeping track of cert expiration? We usually get >> emails from the SSL cert vendor about renewals, but.. >> >> >
