Do I need ca-certificates on my server? - Teh Forum

SoftwareDo I need ca-certificates on my server?

From:	CHYRON (DSMITHHFX)	10 Apr 2014 13:40
To:	ALL	1 of 8

41025.1
I'm running a slightly overdue update on a staging server, and it's re-doing all the "ca-certificates", an excruciatingly slow process (normally updates run about 10-minutes, this is pushing a half hour already). I'm not doing any e-commerce on this server (ISTR testing it on it once or twice, for production elsewhere). Can I safely nuke the certificates? Edit: Or can I prune them down to the half-dozen most commonly used (in case I need to do more testing in future)? It's done about 50 so far. And it's really starting to piss me off! :-& ---- "Ninety percent of Americans use the Internet. The other ten percent use the banjo."

0/0

More

From:	Lucy (X3N0PH0N)	10 Apr 2014 16:02
To:	CHYRON (DSMITHHFX)	2 of 8

41025.2 In reply to 41025.1
It'll be replacing them because of Heartbleed. And it'll be slow because everyone else in the world is doing the same thing. , , , , , , , , , , `' (o,o) (o,o) (o,o) (o,o) (o,o) \ \|)__) \|)__) \|)__) \|)__) \|)__) ''`>-,--”-”---”-”---”-”---”-”---”-”---- ,'.*''`

0/0

More

From:	CHYRON (DSMITHHFX)	10 Apr 2014 16:37
To:	Lucy (X3N0PH0N)	3 of 8

41025.3 In reply to 41025.2
Yeah, I figured. The download wasn't slow, it was the onboard re-compiling that was killer (it's on a G4 ppc). So... do I need 'em or no? ---- "Ninety percent of Americans use the Internet. The other ten percent use the banjo."

0/0

More

From:	Lucy (X3N0PH0N)	10 Apr 2014 16:45
To:	CHYRON (DSMITHHFX)	4 of 8

41025.4 In reply to 41025.3
I don't know, sorry. That's a side of things I know absolutely fuck all about. My guess would be that, given that it's a staging thing and I don't suppose many people will be using it, get everyone who uses it to add a security exception? And maybe self-sign as a little tiny bit of protection. , , , , , , , , , , `' (o,o) (o,o) (o,o) (o,o) (o,o) \ \|)__) \|)__) \|)__) \|)__) \|)__) ''`>-,--”-”---”-”---”-”---”-”---”-”---- ,'.*''`

0/0

More

From:	CHYRON (DSMITHHFX)	10 Apr 2014 16:52
To:	Lucy (X3N0PH0N)	5 of 8

41025.5 In reply to 41025.4
It's not a certificate for my server (which I don't run https on), it's a bunch of certificates that mostly appear to be for online transactions (e.g. thawte, a bunch of banks &ct). I guess https://launchpad.net/ubuntu/+source/ca-certificates "PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections." ---- "Ninety percent of Americans use the Internet. The other ten percent use the banjo."

0/0

More

From:	Lucy (X3N0PH0N)	10 Apr 2014 17:10
To:	CHYRON (DSMITHHFX)	6 of 8

41025.6 In reply to 41025.5
You can still self-sign. But yeah, whether it'll actually work is another matter. But then I guess you don't actually need that part to work so...? , , , , , , , , , , `' (o,o) (o,o) (o,o) (o,o) (o,o) \ \|)__) \|)__) \|)__) \|)__) \|)__) ''`>-,--”-”---”-”---”-”---”-”---”-”---- ,'.*''`

0/0

More

From:	Matt	10 Apr 2014 17:36
To:	CHYRON (DSMITHHFX)	7 of 8

41025.7 In reply to 41025.5
You want them. CA Certificates are those used by the certificate vendors to verify other SSL certificates, they're not just used for HTTPS but lots of other SSL transports. Without up to date CA certificates your ability to communicate securely over SSL is as good as non existent.

0/0

More

From:	CHYRON (DSMITHHFX)	10 Apr 2014 18:00
To:	Matt	8 of 8

41025.8 In reply to 41025.7
OK, thanks. I can't remember if they were onboard the original ubuntu server installation, a package dependency, or I deliberately installed them. Maybe they're using stronger encryption, which could explain why they seemed so slow today. Apparently they're not updated very frequently. ---- "Ninety percent of Americans use the Internet. The other ten percent use the banjo."

0/0

More

Reply to All

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 | FAQ | Docs | Support | Donate!

©2002 - 2024 Project Beehive Forum

Forum Stats