On Fri, Apr 25, 2014 at 02:33:43PM +0000, [email protected] wrote: > + if ! test -e %{tlscert} ; then > + cn="Automatically generated certificate for the %{tlsuser} service" > + openssl req -new -x509 -extensions usr_cert \ > + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
We also pass here: -serial $RANDOM -sha256 in the mod_ssl %post, possibly recommend these also? We had a couple of user complaints when the serial number wasn't set; not a big issue but simple to work around. I'm not sure whether current OpenSSL is using a SHA256 hash by default already, that part might be redundant. Regards, Joe -- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
