On Tue, Oct 24, 2017 at 10:33 AM Tomas Mraz <tm...@redhat.com> wrote:
> On 10/24/2017 04:23 PM, Tomas Mraz wrote: > > I was asked here to merge pull request that moves the openssl makefile > > and scripts for creating self signed certificates to /usr/share/doc. > > > > I am not sure this is the right thing to do as these are definitely > > still used currently. > > > > Although it is much easier now to set up proper certificates for your > > servers with Let's Encrypt, it is still not fully automatable process > > (it needs at least some set up at the beginning for the first issued > > certificate). Thus it cannot be included for example in rpm packages > > %post scripts, etc. > > > > At least I would like to know from maintainers of packages that depend > > on openssl whether they currently use the makefile or the scripts to > > create self signed certificate for the service. > > One more thing to add - the pull request is here: > > https://src.fedoraproject.org/rpms/openssl/pull-request/1 > > I'd like to recommend that we start encouraging people to use SSCG for generating "self-signed"[1] certificates when their packages need them. Also, just a reminder: if you are using any of these tools to generate self-signed certificates as part of an RPM scriptlet, please stop doing that and read https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup which will teach you how to move that into a systemd unit that runs prior to service startup rather than when the package is installed. This has multiple advantages; the entropy pool is likely to be more full during system start-up and it allows tools like virt-sysprep to safely wipe out the certificates when making a Gold Master VM, since the system will automatically generate fresh ones. [1] SSCG actually generates a one-time-use CA, signs the certificates and then destroys the private key of the CA. See https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ for a complete explanation.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
