Building production machines out-of-place, regenerating certs when a machine's identity changes, etc.

nodata lsof at
Sat Nov 27 20:09:58 UTC 2010

On 27/11/10 16:44, Ralf Ertzinger wrote:
> Hi.
> On Sat, 27 Nov 2010 16:15:47 +0100, nodata wrote
>> I don't agree. If you are replacing a production machine, you take
>> the keys from the old machine and use them. If you don't want to do
>> that, you buy new, probably stronger, certificates that are also
>> valid. I think your case only covers self-signed certificates.
> I agree, usually the keys from the old machine are imported into the new.
> I do, however, question the usefulness of generating self signed keys
> for 'localhost' or 'localhost.localdomain'. Is there any valid use
> case for these?

Not normally, no.

localhost is a catchall for when either your hosts file is badly 
configured or you didn't configure networking yet. So we're back to the 
problem you mentioned of these things running from rpm scriptlets.

Maybe the sshd approach would be better - generate at first run of the 

More information about the devel mailing list