4
I have applied a patch to provide debianized defaults. So there should
5
be no need to provide parameters to many of the maintenance scripts.
7
Debconf adaptation is not implemented yet, so you MUST edit the files in
10
A nice document for this is the usr/share/doc/openssl/doc/openssl.txt.gz
11
which can be found in the openssl package.
13
When you have done this you may give the ``ca-make.py'' command to create
14
your Root CA and sub CA's. Have a piece of paper ready, you need several
17
The Debian ``slapd'' have the correct inetorgperson.schema required for
18
storing X.509 certificates. Before you issue the ``ca2ldif.py'' command
19
to put your CAcertificates into ldap you need to run ``ca-cycle-priv.py''
20
to create CRL's - even if you haven't issued and much less revoked any
21
certificates yet. Then use all parameters to command something like:
23
ca2ldif.py --crl --dntemplate="cn=%(CN)s,ou=ca,o=debian,c=no" | slapadd
25
The possibility of using domainComponents instead of C/St/L/O/OU notation
26
for DN's have been explored. Where as this seems to be The Right Thing in
27
terms of how LDAP is being used these days, it looks awful in the
28
applications I have tested. (IE, Mozilla, Firebird, Mutt, Outlook Express,
29
Outlook). Applications look for the C/St/L/O/OU fields in order to display
30
their contents to the user.
31
Not finding this information they display nothing, which looks very silly.
32
Mind you, the problem is purely cosmetic.
34
Oh, and the applications tend *not* to display utf-8, as well :( So my
35
personal company name - Tølveguten - can't be used.
37
If your use for a CA is to have client certificates for your mail server
38
internally on the other hand, domainComponent notation will ease the pain
41
-- Lars Bahner <bahner@debian.org>, Wed Mar 26 20:10:49 CEST 2003