Chris Morrow writes: >it would have helped a bit of the error was more clear :( helped me >anyway. I think it'd also be nice if I could have loaded the key in >one element and cert in another... everyone who requires them jammed >together does the ordering differently from the last person :(
We're calling openssl's validation functions and reporting any errors returned, since we want our code (in the UI) to be as well-separated from the innards of ssl as possible. The "load-key-file" accepts the key and cert in either order, rewriting them in the "standard" openssl format. >thnx! it does (as you say next) not include the key (which has to have >it's passprhase removed) in the pem file, it uses the load-from-file option >which may >not be the preferred manner for the particular operator. Yes, assigning the value directly is less forgiving, since it doesn't perform validation. But IIRC the key/cert order still doesn't matter. We write the value directly into /var/etc/ssl/local/ (with the "\n"s unescaped). >it also seems to suggest that using self-signed certs is ok (it's not, >really it's not... setup your own ca, mint certs from it, verify certs >on connect) a note in the docs that: "self signed certs invite people >to mitm your control/monitoring comms with your network... it invites >people to be you on your network and do what you can do...you don't >want that to happen, right?" would be great to see. True. I'll pass this along. >I'm unsure how I would have found this document 'quickly', I did several >searches for: > "streaming telemetry ssl certificate" FWIW, I googled "junos ssl local certificates" and got a ton of pki-related entries, so did "junos ssl local certificates -pki" and the docs were the first item returned. >spreading the configuration requirements far and wide in the >support/docs seems counter-productive to letting people self-help to a >solution :( it's a shame that the docs aren't more clear and more >centralized. Completely agree. Thanks, Phil _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
