Building production machines out-of-place, regenerating certs when a machine's identity changes, etc.
nodata
lsof at nodata.co.uk
Sat Nov 27 20:09:58 UTC 2010
On 27/11/10 16:44, Ralf Ertzinger wrote:
> Hi.
>
> On Sat, 27 Nov 2010 16:15:47 +0100, nodata wrote
>
>> I don't agree. If you are replacing a production machine, you take
>> the keys from the old machine and use them. If you don't want to do
>> that, you buy new, probably stronger, certificates that are also
>> valid. I think your case only covers self-signed certificates.
>
> I agree, usually the keys from the old machine are imported into the new.
> I do, however, question the usefulness of generating self signed keys
> for 'localhost' or 'localhost.localdomain'. Is there any valid use
> case for these?
Not normally, no.
localhost is a catchall for when either your hosts file is badly
configured or you didn't configure networking yet. So we're back to the
problem you mentioned of these things running from rpm scriptlets.
Maybe the sshd approach would be better - generate at first run of the
daemon?
More information about the devel
mailing list