On Fri, Apr 25, 2014 at 02:33:43PM +0000, fweimer@xxxxxxxxxxxxxxxxx wrote:
> + if ! test -e %{tlscert} ; then
> + cn="Automatically generated certificate for the %{tlsuser} service"
> + openssl req -new -x509 -extensions usr_cert \
> + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
We also pass here:
-serial $RANDOM -sha256
in the mod_ssl %post, possibly recommend these also? We had a couple of
user complaints when the serial number wasn't set; not a big issue but
simple to work around.
I'm not sure whether current OpenSSL is using a SHA256 hash by default
already, that part might be redundant.
Regards, Joe
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
