From 180ad320f452c4c58f6edc75a5749f665bf7459f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 20 Sep 2017 14:18:24 -0400
Subject: Generate SSL keys on service start

This defers the creation of self-signed SSL certificates to the
first time that httpd starts up. This has several advantages:

* Waiting until the first boot will help avoid some issues with
  limited entropy in the install process.
* The certificates can be regenerated automatically whenever they
  are removed, which helps with tools such as virt-sysprep
* The certificates are now generated by SSCG, which produces a
  limited-trust CA alongside it that can be safely imported by a
  client.

For more information on SSCG, see:
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ssl.conf')

diff --git a/ssl.conf b/ssl.conf
index a07bd8f..a2709ce 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
 
 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are
-- 
cgit