## page was renamed from Software/InstallatingCAcertSource ## page was renamed from Software/Installating CAcert Source ## page was renamed from SoftwareInstallation Q: I am a software vendor, and I want to integrate certificates into that software properly. How should I do that? === Installation === * Upon installation, automatically generate a new, fresh and secure keypair (secret key+public key). We suggest using RSA and a keylength of 2048 Bits for it. Make sure that the keypair is freshly generated from real random numbers (/dev/random), and that you do not ship any secret keys + certificates to your customers. * Then automatically generate a self-signed certificate, and activate it in your software. This is to make sure that the user can instantly use a encrypted session. * Then automatically generate a certificate request (CSR) for the administrator, display/save it for the administrator, and tell him that he should send it to a CA, and get a proper certificate for it. * Make it possible for the user to upload/load/implement a === After the Installation === * Later on, make it easy for the administrator to upload/load/implement the received certificate into the software, and perhaps remind the administrator not to forget getting a certificate. === Before the certificate expires === * Regularly check for expiring certificates. Automatically generate self-signed certificates and certificate requests, and offer the administrator to replace the expiring certificate with a renewed or a self-signed certificate again. === Identity changes === * In case the software is told about an identity change (responsible for a different hostname, domainname), the software should verify, whether the certificate still applies to the new identity, otherwise it should ask the administrator to get a new certificate for the new identity in the usual manner. * Additionally, the software should inform the administrator that it might be a good possibility now to revoke the old certificate, if it isnĀ“t needed anymore. (Be careful with certificates that were used for signing!) ---- CategorySoftware