On Wed, Jun 1, 2011 at 9:41 AM, Mircea Carasel <[email protected]> wrote:
> > > On Thu, May 19, 2011 at 7:29 PM, Douglas Hubler <[email protected]> wrote: > >> On Thu, May 19, 2011 at 10:27 AM, Mircea Carasel <[email protected]> >> wrote: >> > With regard to XX-8779 the thing is that sipXconfig certificate >> authority >> > page for uploading certificates rejects non trusted certificates >> > (certificates signed by a trusted authority) >> > Therefore, self signed certificates does not pass validation and cannot >> be >> > uploaded >> >> Is the problem that we have also should be managing authorities too? >> > That's hard to say. One thing is that the root certificate that is > generated at system setup is not signed by a trusted authority, > and therefore it is not trusted. As an example, browsers detect the > certificate exposed at https://<host>:8443/ and they report that it is not > trusted, meaning that is not signed by a trusted authority > > I think that's fine, I don't think that sipxecs should deal with trusted > authorities, and I think that is also fine that sipx to require a trusted > certificate if someone wants to upload a new certificate. > Hope this answers the question :) > I do know how the certs and CAs work, but my question more along the lines of what we need to do to support users w/real certs or certs they've generated elsewhere. > >> > So my question is that will it be desirable to remove that additional >> > verification (openssl -verify)? >> >> We want to disallow certs uploads that will cause the system to not >> work. As far as I know, uploading a self-signed cert w/o also >> installing the self-generated cert authority will break the system. >> Right? >> > I agree, IMO we should keep certificate verification as is in sipXconfig. > The most important thing is to define clear steps that should be followed by > every user admin to generate certificate and upload through UI > right, 2 cases: 1.) certs/CAs admins have generated elsewhere 2.) certs and/or CAs from real authorities
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
