From: Stephen Gran Date: Sat, 18 Apr 2009 11:07:18 +0000 (+0100) Subject: Add a description of the exim PKI infrastructure X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=138d029b8465cd6c5631eb630a4ff925f0d8bc18;p=mirror%2Fdsa-wiki.git Add a description of the exim PKI infrastructure Signed-off-by: Stephen Gran --- diff --git a/input/howto/exim-ca.creole b/input/howto/exim-ca.creole new file mode 100644 index 0000000..d3cbe41 --- /dev/null +++ b/input/howto/exim-ca.creole @@ -0,0 +1,31 @@ +== Exim Mail PKI Infrastructure == + +=== Overview === + +handel:/srv/puppet/ca has a Makefile and a set of scripts that gets run +nightly (or @daily in cron speak). These scripts regenerate any expiring +certs, remove any certs for machines that have gone away, update the crl, +and build certs for new machines. + +There is also a facility for building 'client certs' - these are meant for +things like handing out user certs for mail relay if we ever decide we want +such a feature. Since I wasn't convinced we did, I left the list empty but +included the facility. + +=== Adding a new host === + +Add the machine to ud-ldap as usual, and wait for ud-replicate to update +the list of debianhosts (or force it - up to you). Then run + +{{{ +su puppet -s /bin/sh -c 'cd /srv/puppet/ca && make install' +}}} + +This will create and install the cert into the correct puppet directory for +puppet to serve the files out to the new machine. + +=== Caveat === + +This is meant to be a completely automated system, which means very little +auditing of it happens. Do not use certs from this CA for anything more +important than mail relaying.