Toolserver:Admin:Crypto
This page was moved from the Toolserver wiki.
Toolserver has been replaced by Toolforge. As such, the instructions here may no longer work, but may still be of historical interest.
Please help by updating examples, links, template links, etc. If a page is still relevant, move it to a normal title and leave a redirect.
Various notes on TS crypto stuff.
SSL
editWe have a StartSSL certificate for *.toolserver.org. This is used for:
- https://toolserver.org
- https://nagios.toolserver.org
- https://svn.toolserver.org
- https://jira.toolserver.org
- https://fisheye.toolserver.org
- https://crowd.toolserver.org
- https://fingerprints.toolserver.org
- https://wiki.toolserver.org
This needs to be changed in the following places when the certificate is renewed:
- Squid on the HA cluster,
/global/misc/squid-reverse/ssl/ - Apache on
amaranth'swebzone,/etc/opt/ts/apache/2.2/ssl/ - In ZWS's admin interface for the admin server
We also have a Toolserver root CA which is used to sign certificates for internal use. This can be found at hemlock:/aux0/ca/.
SSH fingerprints
editSSH fingerprints are stored in Puppet (modules/base/files/keys/). We also store them in DNS, to allow DNSSEC-capable resolvers to authenticate keys, at https://fingerprints.toolserver.org/ for manual verification, and in ssh_known_hosts (also in Puppet) for internal use. All three locations need to be updated if you want to change a host key.