On Thu, Jul 20, 2006 at 11:24:34AM +0200, Martin Schulze wrote: > Hence, I propose to stay with virtual per-service certificates, but to > link them to the common snakeoil certificate from ssl-certificates > during configuration and only if there is no other setting. > > For example: > > Dovecot uses </etc/ssl/certs/dovecot.pem>. > > This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if > the above file or link does not exist during configuration of > dovecot. > > That way, the admin can easily replace the symlink with a real > certificate if they want per-service certificates. > > If, however, they want to have one real certificate for everything, > they can replace the snakeoil certificate like Martin Pitt proposed.
This would be a great improvement. I'd suggest one more level of symlinks. Have the individual services symlink to /etc/ssl/certs/ssl-cert-site.pem, which is then symlinked to ssl-cert-snakeoil.pem. When/if the local admin installs an actual site-wide certificate, updating the one ssl-cert-site.pem symlink will update all of the individual services using the the site cert, and the snakeoil cert is still available if you ever need to fail back to it. tony -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
