Keith C. Perry on 15 Jan 2016 09:20:56 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Topic Suggestion: Let's Encrypt

I was thinking about developing more encryption and security stuff for this year but this seems to be an interesting talk.  The one that came to mind for me (that goes beyond the OpenVPN talk I did) was encrypted storage / containers just using native Linux tools.

I also have an idea for a talk on doing a digital fingerprinting and authenticity with SHA2 hashes.  This one could be a two parter.  The second part goes into writing software for this.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167

----- Original Message -----
From: "Rich Freeman" <>
To: "Philadelphia Linux User's Group Discussion List" <>
Sent: Friday, January 15, 2016 8:58:39 AM
Subject: Re: [PLUG] Topic Suggestion: Let's Encrypt

On Fri, Jan 15, 2016 at 8:24 AM, Anthony Martin
<> wrote:
> 3: I think we should have a talk that starts at the basics and works its way
> up from there for
> a full 1 hour talk as this is something I personally have wanted to look
> into for awhile but
> have not had the time for side projects recently.

Certainly if you added a general overview of how SSL works (the
basics) that would expand the talk to about an hour.

One issue if you want to target this at people who've never set up SSL
is that some of the details tend to be distro-specific, and certainly
software-specific.  Even if you just focused on Apache you'd struggle
to give people a recipe that works for everybody, though if distros
set up letsencrypt fully then it is supposed to be idiot-proof.

However, there are lots of software packages that use certificates
besides apache.  I'm using Letsencrypt certificates now for my domain
and it maintains the certificates/keys/etc in a directory in /etc with
a symlink for the most current version.  The auto-configure stuff will
patch your config files to point to it, but you can also point your
config files there manually.  Once you do that then all you should
need to do to maintain it is renew your certs and then reload/restart
your services.  The main exception I've found is courier-imap which
uses a funky approach storing both the private key and the certificate
in the same file - so I just cat those two files together into a file
just for that service.

In any case, I'll let somebody else offer to take this one first if interested.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --