$ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN SESSION
TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv
ticket.key.new ticket.keystore not more than X=2 old keys + new one, you can add it to cron file. I know it's weird to use awk, but I only try to illustrate that it's not a big problem to rotate keys with my schema ;) But you can' rotate keys with oneliner if you use "one key per file schema" - there'll be too big probability of mistake during nginx config parsing. On Mon, Sep 30, 2013 at 7:31 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote: > > > $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET > > KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >> > > ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new > > ticket.key > > > > There is no difference b/w binary and PEM form here, but I prefer to see > > config files in printable characters. > > I would prefer printable configs as well. But I don't really > think that adding PEM header/footer with awk counts as a trivial > way to do things. It's not something an ordinary admin can do > with at least 50% chance of getting a correct result for the first > time. > > And, BTW, your key rotation lacks removing of an old key, which > makes it unusable. Correct implementation will require keeping > each key in it's own file - which essentially makes "single file > per key" aproach more natural. > > -- > Maxim Dounin > http://nginx.org/en/donation.html > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
