pyca 20031119-0 / usr / share / doc / pyca / README.Debian

pyca for Debian
---------------

I have applied a patch to provide debianized defaults. So there should
be no need to provide parameters to many of the maintenance scripts.

Debconf adaptation is not implemented yet, so you MUST edit the files in
/etc/pyca manually. 

A nice document for this is the usr/share/doc/openssl/doc/openssl.txt.gz
which can be found in the openssl package.

When you have done this you may give the ``ca-make.py'' command to create
your Root CA and sub CA's. Have a piece of paper ready, you need several
good passwords :)

The Debian ``slapd'' have the correct inetorgperson.schema required for
storing X.509 certificates. Before you issue the ``ca2ldif.py'' command 
to put your CAcertificates into ldap you need to run ``ca-cycle-priv.py''
to create CRL's - even if you haven't issued and much less revoked any
certificates yet. Then use all parameters to command something like:

 ca2ldif.py --crl --dntemplate="cn=%(CN)s,ou=ca,o=debian,c=no" | slapadd

The possibility of using domainComponents instead of C/St/L/O/OU notation
for DN's have been explored. Where as this seems to be The Right Thing in
terms of how LDAP is being used these days, it looks awful in the
applications I have tested. (IE, Mozilla, Firebird, Mutt, Outlook Express,
Outlook). Applications look for the C/St/L/O/OU fields in order to display
their contents to the user.
Not finding this information they display nothing, which looks very silly.
Mind you, the problem is purely cosmetic. 

Oh, and the applications tend *not* to display utf-8, as well :( So my 
personal company name - Tølveguten - can't be used.

If your use for a CA is to have client certificates for your mail server
internally on the other hand, domainComponent notation will ease the pain
of setting up SASL.
 
 -- Lars Bahner <bahner@debian.org>, Wed Mar 26 20:10:49 CEST 2003