The entire change of trust depends on the private key remaining a secret known only to the key's owner, therefore access to the key must be controlled carefully. The private key is the secret that the server or service will use to identify itself to clients. To generate a certificate, a private key is required. This means DNS services must be available on the network, and an appropriate FQDN assigned to the server before TLS is deployed.
APT INSTALL ACLOCAL SOFTWARE
If the FQDN of the certificate does not match the FQDN of the server to which the client is connecting, the client software should refuse to connect. The Fully Qualified Domain Name to which clients connect must match the FQDN in the server certificate's DNSname attribute. This naming scheme is for identification purposes only: the functionality of keys and certificates remains the same, regardless of filename. For instance, the certificate for an LDAP server running on would be named .Ĭertificate Authorities can be a service, so a CA keyname would take the form ca. and the certificate name would be ca. For instance, the private key for an LDAP server running on would be named .Ĭertificates named after the servers or services they will be used for with a. Private keys named after the servers or services, plus the domain name, plus a. The following naming scheme is one possibility. Management of multiple keys and certificates becomes difficult without a coherent naming scheme. More information on the gnutls toolkit can be found here:
The tools to generate certificates and debug connections are available in the gnutls-bin package. The Ubuntu Server Guide has a decent explanation. Before reading this guide, the reader should be familiar on the concepts behind SSL/TLS.
APT INSTALL ACLOCAL VERIFICATION
This guide provides information on using the GnuTLS tools to generate certificates for the verification of host identity and the encryption of client/server communications. For this reason, certain packages such as OpenLDAP are compiled with support for GnuTLS instead of OpenSSL in recent releases of Ubuntu. Using GnuTLS avoids the licensing issues that can arise from employing the more common OpenSSL package. GnuTLS ( ) is an LGPL-licensed implementation of Transport Layer Security, the successor to SSL.
0 kommentar(er)
