Hi Miroslav,
Thank you for your feedback.
On 17-11-2021 11:28, Miroslav Suchý wrote:
Dne 16. 11. 21 v 19:37 patrick+buildsys@laimbock.com napsal(a):
Thank you (both) for your feedback. And for mock. I could not get your nor Pat's suggestion to work with a self-signed certificate and key.
Did you updated the ca-bundle.crt?
I did not because AFAICT the ca-bundle is for CA certificates and not for a client (non-CA) certificate and key.
$ man update-ca-trust update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust
I only see CA certificates mentioned in that manpage, not non-CA/client certificates and keys. On the host the ca-bundle.crt is public (0644) and I'd rather not put a client.key in there. IMHO this does not seem the appropriate place or mechanism for non-CA certificates.
So I came up with the attached patch. I'll be happy to create a PR/MR if this is something you would consider adding?
PR is always welcomed. But before we add something new I will want to know why the current solution does not work.
I guess it works but IMHO it's just not a proper solution to mix CAs with client certificates and keys.
Best, Patrick