1 == Exim Mail PKI Infrastructure ==
5 handel:/srv/puppet/ca has a Makefile and a set of scripts that gets run
6 nightly (or @daily in cron speak). These scripts regenerate any expiring
7 certs, remove any certs for machines that have gone away, update the crl,
8 and build certs for new machines.
10 There is also a facility for building 'client certs' - these are meant for
11 things like handing out user certs for mail relay if we ever decide we want
12 such a feature. Since I wasn't convinced we did, I left the list empty but
13 included the facility.
15 === Adding a new host ===
17 Add the machine to ud-ldap as usual, and wait for ud-replicate to update
18 the list of debianhosts (or force it - up to you). Then run
21 sudo -u puppet make -C /srv/puppet.debian.org/ca install
24 This will create and install the cert into the correct puppet directory for
25 puppet to serve the files out to the new machine.
29 This is meant to be a completely automated system, which means very little
30 auditing of it happens. Do not use certs from this CA for anything more
31 important than mail relaying.