On Thu, 26 Apr 2018 23:06:12 -0400, Phil Shafer <[email protected]> wrote: > > Chris Morrow writes: > >it would have helped a bit of the error was more clear :( helped me > >anyway. I think it'd also be nice if I could have loaded the key in > >one element and cert in another... everyone who requires them jammed > >together does the ordering differently from the last person :( > > We're calling openssl's validation functions and reporting any > errors returned, since we want our code (in the UI) to be as > well-separated from the innards of ssl as possible. The "load-key-file" > accepts the key and cert in either order, rewriting them in the > "standard" openssl format. > > >thnx! it does (as you say next) not include the key (which has to have > >it's passprhase removed) in the pem file, it uses the load-from-file option > >which may > >not be the preferred manner for the particular operator. > > Yes, assigning the value directly is less forgiving, since it doesn't > perform validation. But IIRC the key/cert order still doesn't matter. > We write the value directly into /var/etc/ssl/local/ (with the "\n"s > unescaped).
ok. good to know. > >it also seems to suggest that using self-signed certs is ok (it's not, > >really it's not... setup your own ca, mint certs from it, verify certs > >on connect) a note in the docs that: "self signed certs invite people > >to mitm your control/monitoring comms with your network... it invites > >people to be you on your network and do what you can do...you don't > >want that to happen, right?" would be great to see. > > True. I'll pass this along. > terrific, thanks! > >I'm unsure how I would have found this document 'quickly', I did several > >searches for: > > "streaming telemetry ssl certificate" > > FWIW, I googled "junos ssl local certificates" and got a ton of google? who uses that old thing.. I was using the search feature on www.juniper.net :) > pki-related entries, so did "junos ssl local certificates -pki" > and the docs were the first item returned. > ok > >spreading the configuration requirements far and wide in the > >support/docs seems counter-productive to letting people self-help to a > >solution :( it's a shame that the docs aren't more clear and more > >centralized. > > Completely agree. > > Thanks, > Phil _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
