|
|
This defers the creation of self-signed SSL certificates to the
first time that httpd starts up. This has several advantages:
* Waiting until the first boot will help avoid some issues with
limited entropy in the install process.
* The certificates can be regenerated automatically whenever they
are removed, which helps with tools such as virt-sysprep
* The certificates are now generated by SSCG, which produces a
limited-trust CA alongside it that can be safely imported by a
client.
For more information on SSCG, see:
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
