Hi, Rob Crittenden via FreeIPA-users <[email protected]> writes:
> Documents like this are for testing purposes only. We don't want to > encourage/enable users to roll their own PKI solution as it is bound to > lead to problems. I can confirm it's a real problem. > The mariadb instructions issue 10-year server certificates which is well > out of best practices for production systems. It also almost guarantees > that this will all have to be re-done from scratch because in 10 years > either nobody will remember how to issue new certificates or the CA key > will be lost to time. The certificates it generates also don't follow > X.509 best practices regarding extensions. > > They may work fine for you but it's a time bomb and you could have > interoperability problems. I used to have a little CA with easyCA and created certificates for internal use for a couple of years. Once the browser world moved to newer requirements I needed to recreate some server certs. The last blow was that the CA signing key was no longer accepted by the browsers. When that happened I replaced all cert with FreeIPA issued certs and never looked back. certmonger is a killer tool here - no more manual certificate switches... I assume we'll see stronger requirements every couple of years now. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
