This is a tracking bug for SSL certificate requests. Please use the attached gentoo.cnf to generate your certificate requests, name them per the comment in the file, and then email them to cacert@gentoo.org AND leave a note on this bug with the filename you used.
Created attachment 154065 [details] OpenSSL Req config file
Created attachment 154069 [details] OpenSSL Req config file Updated version with better instructions and defaults.
The present attachment is the latest gentoo.cnf file. We need to decide on some suitable OU values to use still. To date, on all public certificates, we've used 'Gentoo Infrastructure' for that field - if we want to change that, now is the time to do so. # Current instructions, as of 2008/05/23: # 1. download gentoo.cnf from bug #223347 # 2. export CNAME="FOOBAR.gentoo.org" # 3. export NAME="$(date -u +%Y%m%d)_gentoo_${CNAME}" # 4. openssl genrsa -out ${NAME}.key 1024 # 5. openssl req -config gentoo.cnf -text -out ${NAME}.csr -key ${NAME}.key -new # 6. email ${CSR}.csr to cacert@gentoo.org, and leave a comment on bug #223347 # with the name of the file.
Certificate public TODO list: https bugs.gentoo.org https forums.gentoo.org imaps mail.gentoo.org smtps mail.gentoo.org (incoming and outgoing)
Cert request for 20080525_gentoo_forums.gentoo.org.csr emailed.
Temporary cert for forums.gentoo.org issued. Has buggy emailAddress field due to minor issue @ CACert. I put the temp one online for now, and I'll refresh it to a final one after they fix their end.
Final cert for forums.g.o is online now. No more emailAddress field, and L has been corrected as well.
20080621_gentoo_bugs.gentoo.org.csr emailed. 20080621_gentoo_bugs.gentoo.org.crt completed.
20090519_gentoo_forumstest.gentoo.org.csr emailed. 20090519_gentoo_forumstest.gentoo.org.crt completed.
Emailed: 20090629_gentoo_dev.gentoo.org_imapd.csr.pem 20090629_gentoo_dev.gentoo.org_pop3d.csr.pem Completed: 20090629_gentoo_dev.gentoo.org_imapd.crt.pem 20090629_gentoo_dev.gentoo.org_pop3d.crt.pem
Emailed: 20090803_gentoo_overlays.gentoo.org.csr.pem Completed: 20090803_gentoo_overlays.gentoo.org.crt.pem
20091018_gentoo_hardenedwiki.gentoo.org.csr emailed
20091018_gentoo_hardenedwiki.gentoo.org.crt completed
Emailed: 20100525_gentoo_dev.gentoo.org-smtp-tls.csr.pem Completed: 20100525_gentoo_dev.gentoo.org-smtp-tls.crt.pem
20100814_gentoo_dev.gentoo.org.csr emailed.
20100814_gentoo_dev.gentoo.org.csr completed.
New items processed: 20101202_gentoo_blogs.gentoo.org 20101202_gentoo_wiki.gentoo.org 20101202_gentoo_glsamaker2.gentoo.org 20101202_gentoo_recruiting.gentoo.org There is now a script in the cfengine repo to help generate the config, key, csr, that also sends email as required by this tracking bug.
Comment on attachment 154069 [details] OpenSSL Req config file The prior instructions and config are now obsolete. Current instructions, as of 2011/12/01: 1. Change to output directory. 2. /usr/local/sbin/generate-ssl DNS:foobar.gentoo.org DNS:foobar2.gentoo.org 3. Leave a comment on bug #223347 (this bug) about the request. The generate-ssl script is in the cfengine repo, should be available on all hosts, and has a lot of detail if you pass --help now.
20111201_gentoo_dev.gentoo.org.csr emailed Subject: C=US, ST=New Mexico, L=Albuquerque, O=GENTOO Foundation, Inc., OU=dev.gentoo.org IMAP/POP3/SIEVE SSL, CN=dev.gentoo.org/emailAddress=cacert@gentoo.org X509v3 Subject Alternative Name: DNS:dev.gentoo.org, DNS:mail.gentoo.org, DNS:imap.gentoo.org, DNS:pop3.gentoo.org
20111201_gentoo_dev.gentoo.org.crt completed. Pending CACert bug where slashes are being dropped: http://bugs.cacert.org/view.php?id=995
This tracker seems to be no longer needed now that we've migrated off of CACert.
