This README is intended for package maintainers. If you are a system 
administrator who wants to know about this package see ssl-cert2 (7).

SSL certificate creation with ssl-cert2
=======================================

If your package requires creation of an SSL certificate then you can use
ssl-cert2. It's main features are

 * Ease of creation for packages. Each package doesn't need to implement
   generation code.
 * Central configuration for system administrators. It is designed to allow
   the admins to choose a policy for the certificates that they can then
   expect packages to follow. This allows for less work when a site specific
   configuration is needed.
 * Sitewide certificate by default. ssl-cert2 by default creates a sitewide
   certificate that all services can use. By default this is a snakeoil cert
   that merely allows the services to be ru, but can easily be updated using
   debconf or modifying a link.
 * Sane use of debconf. The main problem with ssl-cert and the reason that I
   write this software was the problems with the use of debconf in that 
   package. This package is supposed to use debconf in a sane way that allows
   the admin to use it to manage the certificates. Hopefully this can be
   maintained if more functionality is added.

How to do it
============

If you require creation of a certificate in postinst then make a call to
make-ssl-cert2 (8) in your postinst, like

  make-ssl-cert2 $package

if your package is named $package. You can then assume that the certificate is
at

  /etc/ssl/certs/$package.pem

and the corresponding key is at

  /etc/ssl/private/$package.pem

and you shoul configure your package to use these locations. 

With ssl-cert2 these locations might not actually exist, but if they don't then
it is because the system admin chose it to be that way, and so should be 
capable of diagnosing and fixing the problem. Especially as they will get a 
little message telling them that this is the case when your package is 
configured.

In your postrm when being purged you can add

  make-ssl-cert2 -r $package || true

which will make a best attempt to remove the certificate.

Lastly you need to add your daemon user to the ssl-cert group if appropriate.

--
Written by James Westby <jw+debian@jameswestby.net> and licensed under a BSD 
license. See /usr/share/doc/ssl-cert2/copyright