While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical may be currently, technically broken.
after overview, package info, etc...
self signed cert: list uses and drawbacks. list steps to implement.
create cert request for supplying to CA's: basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf
create local ca, create req, key, and cert and sign cert with said ca: description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.
I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. ITwrx (talk) 16:09, 15 May 2015 (UTC)
- Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see Help:Template#Article_status_templates). Can you do that?
- Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article.
You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging. I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD).
- Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
- Let's see, if other interested editors reply. --Indigo (talk) 18:45, 15 May 2015 (UTC)
- Remove the ca section and Certificate authority because running a CA is a highly advanced topic for which one should consult the official documentation.
- Move GOST engine support to a new Tips and tricks section.
- Create a Certificate section below Generating keys.
- Remove the SSL introduction because Wikipedia does a better job at explaining and the definitions are at least partially wrong.
- Merge the req section with Creating certificate signing requests and explain how to provide a temporary config file with
- [DONE] Mention Let's Encrypt and link List of applications/Internet#ACME clients.
- [DONE] Create a
TLS certificate redirect to OpenSSL#Certificate Template:TLS noteServer-side TLS article.
- Make web server and mail server articles link
TLS certificate transclude Template:TLS note instead of duplicating itOpenSSL#Certificates and Server-side TLS.
What do you guys think?
- Since nobody responded in a week, I went ahead and made some changes. In particular I removed the sections containing only config snippets and created Template:TLS note. --Larivact (talk) 07:32, 6 July 2018 (UTC)