Toolserver:Admin:Crypto

Various notes on TS crypto stuff.

SSL
We have a StartSSL certificate for *.toolserver.org. This is used for:


 * https://toolserver.org
 * https://nagios.toolserver.org
 * https://svn.toolserver.org
 * https://jira.toolserver.org
 * https://fisheye.toolserver.org
 * https://crowd.toolserver.org
 * https://fingerprints.toolserver.org
 * https://wiki.toolserver.org

This needs to be changed in the following places when the certificate is renewed:


 * Squid on the HA cluster, /global/misc/squid-reverse/ssl/
 * Apache on amaranth's web zone, /etc/opt/ts/apache/2.2/ssl/
 * In ZWS's admin interface for the admin server

We also have a Toolserver root CA which is used to sign certificates for internal use. This can be found at hemlock:/aux0/ca/.

SSH fingerprints
SSH fingerprints are stored in Puppet (modules/base/files/keys/). We also store them in DNS, to allow DNSSEC-capable resolvers to authenticate keys, at https://fingerprints.toolserver.org/ for manual verification, and in ssh_known_hosts (also in Puppet) for internal use. All three locations need to be updated if you want to change a host key.