Re: Heads Up - openssl makefile and scripts for creating self signed certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 24, 2017 at 10:33 AM Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
On 10/24/2017 04:23 PM, Tomas Mraz wrote:
> I was asked here to merge pull request that moves the openssl makefile
> and scripts for creating self signed certificates to /usr/share/doc.
>
> I am not sure this is the right thing to do as these are definitely
> still used currently.
>
> Although it is much easier now to set up proper certificates for your
> servers with Let's Encrypt, it is still not fully automatable process
> (it needs at least some set up at the beginning for the first issued
> certificate). Thus it cannot be included for example in rpm packages
> %post scripts, etc.
>
> At least I would like to know from maintainers of packages  that depend
> on openssl whether they currently use the makefile or the scripts to
> create self signed certificate for the service.

One more thing to add - the pull request is here:

https://src.fedoraproject.org/rpms/openssl/pull-request/1


I'd like to recommend that we start encouraging people to use SSCG for generating "self-signed"[1] certificates when their packages need them.

Also, just a reminder: if you are using any of these tools to generate self-signed certificates as part of an RPM scriptlet, please stop doing that and read https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup which will teach you how to move that into a systemd unit that runs prior to service startup rather than when the package is installed. This has multiple advantages; the entropy pool is likely to be more full during system start-up and it allows tools like virt-sysprep to safely wipe out the certificates when making a Gold Master VM, since the system will automatically generate fresh ones.

[1] SSCG actually generates a one-time-use CA, signs the certificates and then destroys the private key of the CA. See https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ for a complete explanation.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux