[Pulp-list] Pulp v2.4 with SSL

[Trey Dockendorf]

Randy,

Thanks for the response.

> The easiest option is to configure Apache to serve Pulp with an SSL
> certificate that is signed by a CA that is already trusted by all the
> machines that will interact with Pulp. If for some reason you don't want
> to acquire a signature from a root CA that is already trusted, you can
> also make your own CA but you will have to install that CA certificate
> on all machines that want to interact with Pulp over SSL.
>

Thanks for the clarification, will give it a try.

> Are you asking about protected repositories that require client
> certificates? Non-protected repositories do not require the clients to
> present certificates. If the clients are accessing the repositories over
> SSL, they will simply need to have the appropriate root CA certificates
> installed.

I had not considered using protected repositories.  I just saw some of
the comments in the various config files mentioning certificate
creation for clients via pulp.

> Pulp does sign client certificates that are used for authentication. For
> example, this is how pulp-admin login works. However, Pulp can use its
> own CA for this activity that is separate from the CA that was used to
> sign the certificate that Apache uses.
>

What would have to be changed besides the apache configuration to
support using a trusted certificate for accessing Pulp via SSL but
also allow Pulp to still sign its own certificates?  The places that
mention certificates in the configuration files all seem to indicate
it's best to use a trusted certificate for production.  Is the Pulp CA
used for activity like pulp-admin something that is setup by default,
and only Apache needs to be configured with a trusted certificate?

Thanks,
- Trey