Hi,
Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Documents like this are for testing purposes only. We don't want
to
encourage/enable users to roll their own PKI solution as it is bound to
lead to problems.
I can confirm it's a real problem.
The mariadb instructions issue 10-year server certificates which is
well
out of best practices for production systems. It also almost guarantees
that this will all have to be re-done from scratch because in 10 years
either nobody will remember how to issue new certificates or the CA key
will be lost to time. The certificates it generates also don't follow
X.509 best practices regarding extensions.
They may work fine for you but it's a time bomb and you could have
interoperability problems.
I used to have a little CA with easyCA and created certificates for
internal use for a couple of years. Once the browser world moved to
newer requirements I needed to recreate some server certs. The last blow
was that the CA signing key was no longer accepted by the browsers. When
that happened I replaced all cert with FreeIPA issued certs and never
looked back. certmonger is a killer tool here - no more manual
certificate switches...
I assume we'll see stronger requirements every couple of years now.
Jochen
--
This space is intentionally left blank.