another issue to fix with the FAS2 switch: Kojis ssl certificate

Till Maas opensource at
Wed Mar 12 10:26:28 UTC 2008

On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:

> > [1]
> No,  Because it will break user certs.  To make it work would require that
> users all get entirely new server cert files.  We need to redo our entire

Making the user adjust his koji config for this is afaics unavoidable, except 
when nothing is changed. To make future transitions easier, the ca could be 
bundled into the fedora-packager package, so that the ca is updated 
automatically when needed.

> CA system.  We also need to consider  the ramifications for Secondary
> arches, deploying a new CA  would require each and every Secondary arch to
> purchase a cert from the same CA.  or somebody to purchase a cert that
> covered * from the same CA.

I do not see a reason for this, what does need this? According to the 
pyOpenSSL manual[1] the koji client can load several ca files to authenticate 
the server certificate, because the pem file that is loaded with 
load_client_ca can contain several certificates, e.g. the current one and the 
Equifax one.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the infrastructure mailing list