Opened 11 years ago
Last modified 7 years ago
#380 new enhancement
Scripts pony mitcert integration
Reported by: | davidben | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | pony | Keywords: | |
Cc: |
Description
Now that we can get real certificates, scripts ought to be pushing for better SSL adoption.
It would be cool if requesting foo.mit.edu automatically (opt-in or opt-out) sent a certificate request to mitcert and configured it when it went through. Probably would need to teach mod-vhost-ldap to deal with SSL first.
Note: See
TracTickets for help on using
tickets.
Since we suddenly have several dozen certificates expiring this week in celebration of the third anniversary of the SHA1 apocalypse, I was forced to made bunch of backend progress on this. There are now command-line scripts for finding expiring certificates and sending a mitcert request, and a procmail script for automatically installing certificates from the replies.
Unfortunately, because we sent a huge batch of requests at the last minute, we hosed the mitcert queue and got some certificates back late. For the future, we should do some intelligent desyncing of renewal requests and, if possible, batch multiple requests together with subjectAltName.