diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2017-09-20 14:18:24 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2017-09-20 15:00:20 -0400 |
| commit | 180ad320f452c4c58f6edc75a5749f665bf7459f (patch) | |
| tree | a12c749faa2f84c9ef4f63dc5af8fe09b56c90b6 /ssl.conf | |
| parent | 870b71c4f0c8e363d0e46c365f5d85fa76b62803 (diff) | |
| download | httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.gz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.xz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.zip | |
Generate SSL keys on service start
This defers the creation of self-signed SSL certificates to the
first time that httpd starts up. This has several advantages:
* Waiting until the first boot will help avoid some issues with
limited entropy in the install process.
* The certificates can be regenerated automatically whenever they
are removed, which helps with tools such as virt-sysprep
* The certificates are now generated by SSCG, which produces a
limited-trust CA alongside it that can be safely imported by a
client.
For more information on SSCG, see:
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Diffstat (limited to 'ssl.conf')
| -rw-r--r-- | ssl.conf | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt # Client Authentication (Type): # Client certificate verification type and depth. Types are |