On Tue, Jun 29, 2010 at 12:44 PM, Trevor Vaughan <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I was doing some thinking and reading through the posts on the Apache > CRL issue with puppet and realized that people were suggesting changing > the wrong host value. > > Fundamentally, the CN in the CA cert is irrelevant. In theory, you never > hit that server live so it makes no difference if it were all called "bob".
In fact, the key usage x.509 attributes should prevent the CA certificate from being use as an SSL server certificate entirely. The CA certificate CN field has nothing to do with hostname as far as validation is concerned, unlike an SSL server certificate. > Obviously, this doesn't solve the issue with existing CA's but, if you > can stomach blowing away your CA and re-building your certs, it'll solve > the CRL problem from there on out. I'm getting up to speed. Why does this solve the CRL problem? If you'd rather not explain, I'll go dig through the lists. -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
