Hi Miroslav,
Thank you for your feedback.
On 17-11-2021 11:28, Miroslav Suchý wrote:
Dne 16. 11. 21 v 19:37 patrick+buildsys(a)laimbock.com napsal(a):
> Thank you (both) for your feedback. And for mock. I could not get your
> nor Pat's suggestion to work with a self-signed certificate and key.
Did you updated the ca-bundle.crt?
https://unix.stackexchange.com/a/445884/100010
I did not because AFAICT the ca-bundle is for CA certificates and not
for a client (non-CA) certificate and key.
$ man update-ca-trust
update-ca-trust - manage consolidated and dynamic configuration of CA
certificates and associated trust
I only see CA certificates mentioned in that manpage, not non-CA/client
certificates and keys. On the host the ca-bundle.crt is public (0644)
and I'd rather not put a client.key in there. IMHO this does not seem
the appropriate place or mechanism for non-CA certificates.
> So I came up with the attached patch. I'll be happy to create
a PR/MR
> if this is something you would consider adding?
PR is always welcomed. But before we add something new I will want to
know why the current solution does not work.
I guess it works but IMHO it's just not a proper solution to mix CAs
with client certificates and keys.
Best,
Patrick