--- Mike Jackson <mj(a)sci.fi> wrote:
> What's the best way to go about doing this? I don't
want to manually create/deploy dozens of
> certs for various clients. I also need a way to implement CRL somehow, in case a
box is
> comprosmised.
Your clients don't need certificates, they only need a copy of your root
CA cert - the same file for every client.
right, I think I was confused on that point. I meant to say that I don't want to
deploy the CA
cert to dozens of clients. So, forget the CRL, then...
Because we have about 60 servers total. Now, /etc/openldap/cacerts/ is writable by root
only and
I'd have to do some serious expect/perl scripting to ssh into every machine, accept
the key, su -
root, scp the CA cert, log out. I really don't want to do this if I don't have
to.
So, are you saying I can use openSSL + linux openldap client to do this automagically?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com