Re: [Secure Coding] master: RPM packaging: X.509 key pair generation (95c2976)
On Fri, Apr 25, 2014 at 02:33:43PM +0000, fweimer(a)fedoraproject.org wrote:
+ if ! test -e %{tlscert} ; then
+ cn="Automatically generated certificate for the %{tlsuser} service"
+ openssl req -new -x509 -extensions usr_cert \
+ -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
We also pass here:
-serial $RANDOM -sha256
in the mod_ssl %post, possibly recommend these also? We had a couple of
user complaints when the serial number wasn't set; not a big issue but
simple to work around.
I'm not sure whether current OpenSSL is using a SHA256 hash by default
already, that part might be redundant.
Regards, Joe