summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr/local/bin
Commit message (Collapse)AuthorAgeFiles
* LDAP: Rotate soon-to-be expired key material.HEADmasterGuilhem Moulin2024-09-081
| | | | | Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-051
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-241
| | | | There is no need to bother with X.509 cruft here.
* genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵Guilhem Moulin2016-05-222
| | | | parameters.
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* typoGuilhem Moulin2015-12-041
|
* genkeypair: use install(1) for atomic file creation with permission mode.Guilhem Moulin2015-10-282
|
* genkeypair.sh: Merge privkey and pubkey for identical filekeys.Guilhem Moulin2015-06-071
| | | | Also, set ‘subjectKeyIdentifier = hash’ in the CSR.
* logjam mitigation.Guilhem Moulin2015-06-072
|
* Key usage 'keyCertSign' is required for self-signed certificates.Guilhem Moulin2015-06-071
|
* 'default_days' in openssl.cnf doesn't work, use -days instead.Guilhem Moulin2015-06-071
|
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Add ability to chmod, chown and set the key usage in genkeypair.Guilhem Moulin2015-06-071
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-071
| | | | For DKIM signing and virus checking.
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-071
|
* Add support for CSR and subjectAltName in genkeypair.sh.Guilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-071
Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.