Jump to content

Toolserver:Admin:Crypto

From mediawiki.org

This page was moved from the Toolserver wiki.
Toolserver has been replaced by Toolforge. As such, the instructions here may no longer work, but may still be of historical interest.
Please help by updating examples, links, template links, etc. If a page is still relevant, move it to a normal title and leave a redirect.

Various notes on TS crypto stuff.

SSL

[edit]

We have a StartSSL certificate for *.toolserver.org. This is used for:

This needs to be changed in the following places when the certificate is renewed:

  • Squid on the HA cluster, /global/misc/squid-reverse/ssl/
  • Apache on amaranth's web zone, /etc/opt/ts/apache/2.2/ssl/
  • In ZWS's admin interface for the admin server

We also have a Toolserver root CA which is used to sign certificates for internal use. This can be found at hemlock:/aux0/ca/.

SSH fingerprints

[edit]

SSH fingerprints are stored in Puppet (modules/base/files/keys/). We also store them in DNS, to allow DNSSEC-capable resolvers to authenticate keys, at https://fingerprints.toolserver.org/ for manual verification, and in ssh_known_hosts (also in Puppet) for internal use. All three locations need to be updated if you want to change a host key.

Category:Admin:Software