1–8

Do I need ca-certificates on my server?

From: CHYRON (DSMITHHFX)10 Apr 2014 13:40
To: ALL1 of 8
41025.1
I'm running a slightly overdue update on a staging server, and it's re-doing all the "ca-certificates", an excruciatingly slow process (normally updates run about 10-minutes, this is pushing a half hour already).

I'm not doing any e-commerce on this server (ISTR testing it on it once or twice, for production elsewhere). Can I safely nuke the certificates?

Edit: Or can I prune them down to the half-dozen most commonly used (in case I need to do more testing in future)? It's done about 50 so far. And it's really starting to piss me off!  :-&
EDITED: 10 Apr 2014 13:47 by DSMITHHFX
Reply
0/0
From: Lucy (X3N0PH0N)10 Apr 2014 16:02
To: CHYRON (DSMITHHFX) 2 of 8
41025.2 In reply to 41025.1
It'll be replacing them because of Heartbleed. And it'll be slow because everyone else in the world is doing the same thing.

 
Reply
0/0
From: CHYRON (DSMITHHFX)10 Apr 2014 16:37
To: Lucy (X3N0PH0N) 3 of 8
41025.3 In reply to 41025.2
Yeah, I figured. The download wasn't slow, it was the onboard re-compiling that was killer (it's on a G4 ppc). So... do I need 'em or no?
Reply
0/0
From: Lucy (X3N0PH0N)10 Apr 2014 16:45
To: CHYRON (DSMITHHFX) 4 of 8
41025.4 In reply to 41025.3
I don't know, sorry. That's a side of things I know absolutely fuck all about.

My *guess* would be that, given that it's a staging thing and I don't suppose many people will be using it, get everyone who uses it to add a security exception? And maybe self-sign as a little tiny bit of protection.
Reply
0/0
From: CHYRON (DSMITHHFX)10 Apr 2014 16:52
To: Lucy (X3N0PH0N) 5 of 8
41025.5 In reply to 41025.4
It's not a certificate for my server (which I don't run https on), it's a bunch of certificates that mostly appear to be for online transactions (e.g. thawte, a bunch of banks &ct). *I guess*

https://launchpad.net/ubuntu/+source/ca-certificates

"PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections."
Reply
0/0
From: Lucy (X3N0PH0N)10 Apr 2014 17:10
To: CHYRON (DSMITHHFX) 6 of 8
41025.6 In reply to 41025.5
You can still self-sign. But yeah, whether it'll actually work is another matter. But then I guess you don't actually need that part to work so...?
Reply
0/0
From: Matt10 Apr 2014 17:36
To: CHYRON (DSMITHHFX) 7 of 8
41025.7 In reply to 41025.5
You want them. CA Certificates are those used by the certificate vendors to verify other SSL certificates, they're not just used for HTTPS but lots of other SSL transports. Without up to date CA certificates your ability to communicate securely over SSL is as good as non existent.
EDITED: 10 Apr 2014 17:37 by MATT
Reply
0/0
From: CHYRON (DSMITHHFX)10 Apr 2014 18:00
To: Matt 8 of 8
41025.8 In reply to 41025.7
OK, thanks. I can't remember if they were onboard the original ubuntu server installation, a package dependency, or I deliberately installed them. Maybe they're using stronger encryption, which could explain why they seemed so slow today. Apparently they're not updated very frequently.
Reply
0/0