[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: My Take on Virtdomains so far
From:       Michael Fair <michael () daclubhouse ! net>
Date:       2002-08-26 21:17:33
[Download RAW message or body]

> > > Other than that, I can add support for a tls_cert_dir which would have
> > > one cert per address each using the domain as the name, ie
> > > oceana.com.crt
> > 
> > 
> My question is, do people also use a separate key file per-domain?

I do, but more as a side effect of creating the certs one at
a time and then just leaving the key as a separate file during
that process.  

I'm still playing with this part of the virtual domain
process.  At the moment, rather than pay for a real cert 
I use the OpenSSL tools to setup each virtual domain as
its own CA then distribute that CA key to each of the users.
So far the only needs have been internal https, imaps, smtps 
(An e-commerce site would use a purchased signature).

Setting up each virt domain as its own CA creates a lot
of cruft and doesn't work too well with the Cyrus model
of certs at the moment.

Without understanding more about the two methods Ken
posted earlier (which I need to understand myself),
I was thinking about migrating to an "ISP CA" which
then acted as the CA for each virt domain then I would
just distribute the ISP's CA.  Of course the one caveat
with that approach is that all the "ISP" customers now
automatically implicitly trust each other.  While that
isn't a major problem in the sense that actual usage
shows they don't try and use each others internal 
services, it's an academic caveat nonetheless.

I don't know how many others out there are like me,
but feel I have much more of a trained monkey knowledge
than an actual understanding of the SSL cert process.
So while Ken's URLs solve the problem, it was immediately
apparent to me how to test it to see if my favorite MUAs
supported it.

and the fight rolls on!
Kudos Ken!  This is very much a great first draft of a 
one-size fits all virtual domain implementation barring
support for a protocol level way of detecting which
domain an end user is trying to contact.  It's much more 
advanced than any of the attempts I had made at writing 
the same kinds of code!  I'm very grateful for the effort.

-- Michael --

[prev in list] [next in list] [prev in thread] [next in thread]