summaryrefslogtreecommitdiffstats
path: root/certs
Commit message (Collapse)AuthorAgeFiles
* LDAP: Rotate soon-to-be expired key material.HEADmasterGuilhem Moulin2024-09-084
| | | | | Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
* levante: Adjust pinned key material and modules due to new hardware.Guilhem Moulin2024-09-082
|
* Use dedicated DKIM key for himmelkanten.se, vimmelkanten.se and ↵Guilhem Moulin2023-10-223
| | | | hemskaklubben.se.
* Use dedicated DKIM key for dubre.me.Guilhem Moulin2023-08-201
|
* Use dedicated DKIM key for ljhms.se.Guilhem Moulin2023-07-201
|
* Use dedicated DKIM key for r0x.se.Guilhem Moulin2022-12-131
|
* Use dedicated DKIM key for guilhem.se.Guilhem Moulin2022-10-111
|
* Use dedicated DKIM key for gbg.cmsmarx.org.Guilhem Moulin2021-02-131
|
* typofixGuilhem Moulin2021-01-241
|
* Use dedicated DKIM key for jakmedlem.se.Guilhem Moulin2021-01-241
|
* certs/gencerts.sh: Don't hard-code the intermediate CA.Guilhem Moulin2021-01-071
| | | | | | Since mid December Let's Encrypt has been using /C=US/O=Let's Encrypt/CN=R3 (CAID #183267) instead of the old /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (CAID #16418).
* Move bacula and munin master to new host levante from benjamin.Guilhem Moulin2020-11-033
|
* Use dedicated DKIM key for tevs.net.Guilhem Moulin2020-10-011
|
* Use dedicated DKIM key for hemdal.se.Guilhem Moulin2020-05-221
|
* Use dedicated DKIM key for guilhem.org.Guilhem Moulin2020-04-221
|
* Add dedicated DKIM key for lists.fripost.org.Guilhem Moulin2020-04-221
| | | | | | Instead of using the fallback key. That way messages from our lists have proper DMARC alignment (at least when envelope sender and From header are under domain lists.fripost.org).
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-131
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-191
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* Add ssh-ed25519 hostkey for benjamin.Guilhem Moulin2018-12-091
|
* Remove trailing spaces.Guilhem Moulin2018-12-051
|
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-053
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-043
|
* gencerts: Also show the algorithm for SSH host keys.Guilhem Moulin2018-12-031
|
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-035
|
* ssh_known_hosts: also list ed25519 host (pub)keys.Guilhem Moulin2018-12-031
|
* certs/gencerts.sh: wibbleGuilhem Moulin2018-12-031
|
* Rotate civett's IPsec's key.Guilhem Moulin2017-05-292
|
* Change civett's CNAME from civett.friprogramvarusyndikatet.se to ↵Guilhem Moulin2017-05-141
| | | | civett.fripost.org
* HPKP: increase max-mage directive to 6 months from 1 hour.Guilhem Moulin2016-09-181
|
* gencerts: improve workning: s/pubkey/SPKI/Guilhem Moulin2016-09-181
|
* Improve certs formatting.Guilhem Moulin2016-07-121
|
* gencerts: Print the SHA1 digests in hex not base64 format.Guilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-125
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-107
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-109
|
* typoGuilhem Moulin2016-06-151
|
* crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates.Guilhem Moulin2016-06-151
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-159
| | | | To avoid new commits upon cert renewal.
* Renew cert for https://lists.fripost.org.Guilhem Moulin2016-05-281
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-246
| | | | There is no need to bother with X.509 cruft here.
* Restore the public part of Bacula's data encryption master key.Guilhem Moulin2016-05-231
| | | | | | Which was incorrectly removed at commit 8cf4032ecec5b9f58d829e89f231179170432539
* Remove CAcert certificates.Guilhem Moulin2016-05-222
| | | | | We're now using the Let's Encrypt CA for our public internet-facing services.
* gencerts: improve formatting.Guilhem Moulin2016-05-221
|
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-229
|