On 09/29/2014 10:28 PM, Trey Dockendorf wrote: > What would have to be changed besides the apache configuration to > support using a trusted certificate for accessing Pulp via SSL but > also allow Pulp to still sign its own certificates? The places that > mention certificates in the configuration files all seem to indicate > it's best to use a trusted certificate for production. Is the Pulp CA > used for activity like pulp-admin something that is setup by default, > and only Apache needs to be configured with a trusted certificate?
Hi Trey, You don't need to worry about the Pulp CA. It's internal to Pulp and is generated at install time. Of course, you are free to replace it with your own certificate if you like. It is installed at /etc/pki/pulp. This CA is used to sign user login certificates. When pulp-admin login is successful, the server creates a client certificate, signs it with that CA, and hands it back to pulp-admin. pulp-admin then uses this certificate to authenticate the user for future calls until the certificate expires. If you want to serve Pulp with a signed certificate, you need to edit /etc/httpd/conf.d/ssl.conf. In this file you can change the SSL certificate and key that Apache uses to serve all SSL content. You can read about the settings in this file here: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
