A FAI user who wants to stay anonymous, just sent me this info on handling ssl keys for servers - secret stuff that might not be good placed in the configspace.
I did not test it and have no info on it, just posting it as the person I oit it from must stay anonymous, and it _might_ help somebody. I'm not putting it into the wiki as I have not tested it and cannot take care of it - if you have success with this, please put it into the wiki! === Installing shelf signed certificates into the FAI === For out Linux clients we put our two public SSL certificates into FAI's fcopy area. The certificates should be installed under /usr/share/ca-certificates and files with extension ".crt" are recognized as available certs: * files/usr/share/ca-certificates/our-domain.com/root-ca-cert-pem.crt/DEFAULT * files/usr/share/ca-certificates/our-domain.com/ua-rz-ca-pem.crt/DEFAULT === package_config/DEFAULT === The class "package_config/DEFAULT" contains the Debian package "ca-certificates", which is installed on every FAI PC by this way. === scripts/DEFAULT/85-rehash-certs === The script "scripts/DEFAULT/85-rehash-certs" registers our two certificates either by using the openssl's "c_rehash"-shellscript or --if available-- by using the ca-certificates Debian package's "update-ca-certificate"-shellscript: ainsl $target/etc/ca-certificates.conf "our-domain.com/root-ca-cert-pem.crt" ainsl $target/etc/ca-certificates.conf "our-domain.com/rz-ca-pem.crt" if [ -x $target/usr/sbin/update-ca-certificates ]; then chroot $target update-ca-certificates else chroot $target /usr/bin/c_rehash /etc/ssl/certs fi Es waere prima, wenn Du oder jemand aus dem FAI Projekt das bei Gelegenheit zur Dokumentation in die FAI-Mailingliste oder in das FAI-Wiki stellen koennte. Vielleicht ist es auch fuer andere FAI-Anwender nuetlich..
