Traffic Control only supports a very limited few (one, maybe two), so we shouldn't need to worry about that.
On Fri, Nov 30, 2018 at 3:14 PM Gray, Jonathan <jonathan_g...@comcast.com> wrote: > The instructions on adding a custom root CA to a server trust store are > going to vary by OS, Distro, and Major Rev. > > Jonathan G > > > On 11/30/18, 2:55 PM, "Rawlin Peters" <rawlin.pet...@gmail.com> wrote: > > On Fri, Nov 30, 2018 at 12:56 PM Hank Beatty <hbea...@apache.org> > wrote: > > > > +1 > > > > On 11/30/2018 02:43 PM, Rawlin Peters wrote: > > > If you want your self-signed certs to be fully validated by the > API, > > > you will need to create an internal signing authority, sign your > > > created certs using that internal signing authority, and install > the > > > internal signing authority certs on your TO servers. This is what I > > > would recommend as it provides full verification of your > "self-signed" > > > certs because they will appear to be "real" certs and won't emit a > > > warning from the API. That exercise is left up to the > administrator. > > > > I know that this is outside Traffic Control but, do you know where I > > could find some documentation on doing what you describe above? > > > > Thanks, > > Hank > > I briefly skimmed over these pages, but they seemed like they'd do the > job: > > https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ > https://thomas-leister.de/en/how-to-import-ca-root-certificate/ > > For cert validation purposes only, your internal root CA cert would > only have to be installed on your TO servers (whether it be your local > TO on your laptop or Prod TO) since TO will be validating the cert > against the root CAs that have been installed on its system. > > - Rawlin > > >
