From: Mark Huang Date: Mon, 10 Jul 2006 21:04:17 +0000 (+0000) Subject: - think i finally understand ssl now X-Git-Tag: planetlab-4_0-rc1~152 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=737199fc5dfb3ebeeca3e18cbbc3d416724a101d;p=myplc.git - think i finally understand ssl now - allow CA to be configured for each ssl certificate set - never do any root CA stuff. this is outside the scope of myplc. myplc now only generates self-signed certs (but supports replacement of the self-signed certs with real certs signed by another CA, as long as the CA is specified) --- diff --git a/plc_config.xml b/plc_config.xml index dd5d7b1..3863d99 100644 --- a/plc_config.xml +++ b/plc_config.xml @@ -6,7 +6,7 @@ Default PLC configuration file Mark Huang Copyright (C) 2006 The Trustees of Princeton University -$Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ +$Id: plc_config.xml,v 1.14 2006/06/23 20:31:09 mlhuang Exp $ --> @@ -101,27 +101,6 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ The SSH private key used to access the root account on your nodes. - - - Root CA SSL Private Key - /etc/planetlab/root_ca_ssl.key - The SSL private key used for signing all other - generated certificates. If non-existent, one will be - generated. - - - - Root CA SSL Public Key - /etc/planetlab/root_ca_ssl.pub - The corresponding SSL public key. - - - - Root CA SSL Public Certificate - /etc/planetlab/root_ca_ssl.crt - The corresponding SSL public - certificate. - @@ -148,27 +127,39 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ be generated. - - SSL Public Key - /etc/planetlab/ma_sa_ssl.pub - The corresponding SSL public key. - - SSL Public Certificate /etc/planetlab/ma_sa_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by the PLC root + CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/ma_sa_ca_ssl.crt + If applicable, the certificate of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA certificate. + + + + Root CA SSL Public Key + /etc/planetlab/ma_sa_ca_ssl.pub + If applicable, the public key of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA public key. API Certificate /etc/planetlab/ma_sa_api.xml - The API Certificate for your MA/SA is the SSL - public key for your MA/SA embedded in an XML document and - signed by the root CA SSL private key. The API Certificate - can be used by any PlanetLab node managed by any MA, to - verify that your MA/SA public key is valid. + The API Certificate is your MA/SA public key + embedded in a digitally signed XML document. By default, + this document is self-signed. You may replace this + certificate later with one signed by the PLC root + CA. @@ -412,8 +403,19 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Public Certificate /etc/planetlab/api_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by a root + CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/api_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate. @@ -482,8 +484,19 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Public Certificate /etc/planetlab/www_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/www_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate. @@ -543,15 +556,25 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Private Key /etc/planetlab/boot_ssl.key The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated. + traffic. SSL Public Certificate /etc/planetlab/boot_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/boot_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate.