Dustin Puryear <dustin@puryear-it.com> writes:
> 1. Putting all certs under a standardized location, e.g.,
> /usr/shared/ssl/certs/, and then just chown'ing and chmod'ing them for a
> little more security.
Yes, but I would suggest /etc/ssl/certs instead of anything under /usr.
As a general rule files under /usr shouldn't be modified with
information local to the system.
> 2. Keeping them in application-specific areas.
Make symlinks!
> Also, how are you keeping track of cert expiration? We usually get
> emails from the SSL cert vendor about renewals, but..
If you have certs in one location, you can set up a cron job to just
scan the directory.
It is also possible to have Nagios check remotely-available ssl-enabled
services and warn when the cert is about to expire.
Mark.
-- http://hexmode.com/ GPG Fingerprint: 7E15 362D A32C DFAB E4D2 B37A 735E F10A 2DFC BFF5 The most beautiful experience we can have is the mysterious. -- Albert Einstein, The World As I See it ___________________ Nolug mailing list nolug@nolug.orgReceived on 11/26/07
This archive was generated by hypermail 2.2.0 : 12/19/08 EST