Hi Trey, On 09/25/2014 12:12 PM, Trey Dockendorf wrote: > I'd like to use verify_ssl, but unsure how to go about this. > > I use Puppet for my infrastructure, and am comfortable re-using that > CA for Pulp, but unsure how to make that work in Pulp. > > My other option would be to get a trusted SSL cert from my University. > My University (where these servers run) provides InCommon SSL certs. > Again, unsure how to configure Pulp if I get a certificate that's > trusted.
The easiest option is to configure Apache to serve Pulp with an SSL certificate that is signed by a CA that is already trusted by all the machines that will interact with Pulp. If for some reason you don't want to acquire a signature from a root CA that is already trusted, you can also make your own CA but you will have to install that CA certificate on all machines that want to interact with Pulp over SSL. > My concern is how Pulp interacts with SSL in terms of consumers / > clients. Does Pulp have to be able to sign the clients, or are the > clients expected to have a certificate from the CA used by Pulp? > Getting a certificate from my University for every client would be > difficult and time consuming, and impossible to automate. Are you asking about protected repositories that require client certificates? Non-protected repositories do not require the clients to present certificates. If the clients are accessing the repositories over SSL, they will simply need to have the appropriate root CA certificates installed. > Using Puppet certificates can be automated, as I do that currently for > my LDAP setup, but if Pulp is expected to sign certificates, that > would be an issue, at least in my limited understanding. Pulp does sign client certificates that are used for authentication. For example, this is how pulp-admin login works. However, Pulp can use its own CA for this activity that is separate from the CA that was used to sign the certificate that Apache uses.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
