Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>

[[ 🗃 ^yEzqv rel4tion-wiki ]] :: [📥 Inbox] [📤 Outbox] [🐤 Followers] [🤝 Collaborators] [🛠 Commits]

Clone

HTTPS: git clone https://vervis.peers.community/repos/yEzqv

SSH: git clone USERNAME@vervis.peers.community:yEzqv

Branches

Tags

master :: maint / admin / ca / tinyca / Preparing_the_Tools /

Environment.mdwn

The best thing to do is probably to manage the CA on a separate machine, not on the server itself, and just copy the certificates to the server where the server software can use it for its SSL functionality.

If you can do that, move to that machine and do the next steps there (until we move back the server again).

Maybe you can’t or prefer not to: For example, maybe your non-server machines are still connected to the internet, e.g. for private use, and you don’t want to keep the SSL files there. Since you do have to keep and manage them somewhere, here is a suggestion: Create a separate user on some machine, which will manage the CA. This user won’t have password access, won’t have SSH access and all its files are accessible only to itself (i.e. unix octal permission always ends with two zeros, e.g. 600).

If you don’t need such a special user, skip to the next step (installing the software). Otherwise, let’s create the user.

The following command should be executed by the root user on the machine where the CA is going to be managed. It will create a new user ‘ca’ (you can use any other name).

# adduser \
    --system \
    --shell /bin/bash \
    --gecos 'certificate authority user' \
    --group \
    --disabled-password \
    --home /home/ca \
    ca

This new user probably has a globally-readable home folder. You can use chmod (or chmod -R) in order to limit visiblity to this user only, and nobody else. You may need to do this again later, after creating SSL related private files - actually protecting them is much more important than the rest of the home folder.

[See repo JSON]