[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: another issue to fix with the FAS2 switch: Kojis ssl certificate



On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:

> > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
>
> No,  Because it will break user certs.  To make it work would require that
> users all get entirely new server cert files.  We need to redo our entire

Making the user adjust his koji config for this is afaics unavoidable, except 
when nothing is changed. To make future transitions easier, the ca could be 
bundled into the fedora-packager package, so that the ca is updated 
automatically when needed.

> CA system.  We also need to consider  the ramifications for Secondary
> arches, deploying a new CA  would require each and every Secondary arch to
> purchase a cert from the same CA.  or somebody to purchase a cert that
> covered *.koji.fedoraproject.org from the same CA.

I do not see a reason for this, what does need this? According to the 
pyOpenSSL manual[1] the koji client can load several ca files to authenticate 
the server certificate, because the pem file that is loaded with 
load_client_ca can contain several certificates, e.g. the current one and the 
Equifax one.

Regards,
Till

[1] http://pyopenssl.sourceforge.net/pyOpenSSL.ps

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]