Le lun. 31 août 2020 à 11:13, Christopher Schultz < ch...@christopherschultz.net> a écrit :
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Daniel, > > On 8/28/20 20:46, Daniel Savard wrote: > > Le ven. 28 août 2020 à 17:19, Darryl Philip Baker < > > darryl.ba...@northwestern.edu> a écrit : > > > >> I am having an issue that I don’t understand. On RHEL6/CentOS > >> and earlier my predecessors would put self-signed certificates > >> they wanted to trust in /etc/pki/ca-trust/extracted/java/cacerts > >> and it was good for the life of the machine. On RHEL7 and I > >> assume CentOS7 that file is part of a package that is getting > >> updated as part of the regular patches. That wipes out our > >> self-signed certificates. The way I understand the directions > >> from Red Hat we should put the certificate in pem format in the > >> directory /etc/pki/ca-trust/source/anchors and run > >> update-ca-trust extract and that will update the all the > >> appropriate files. Including the cacerts file. That does not seem > >> to happen. What is the proper way of handling self-signed > >> certificates you want tomcat to trust? > >> > >> Off topic but you are folks who might know: On a related note I > >> have the same issue with Java applications not running in Tomcat > >> that use the same file /etc/pki….java/cacerts. Am I > >> understanding the PKI update process correctly? Am I putting the > >> self-signed certificate pem format file in the correct place? > >> > >> Darryl Baker, GSEC (he/him/his) Sr. System Administrator (...) > >> > >> > > You can put your certificates and truststore wherever you want as > > long as you tell Tomcat where they are in the conf/server.xml > > configuration file when you configure the connector using them. > > > > Self-signed certificates should never be used on a production > > server, they are not secure. > What makes you say that? > > - -chris > (...) https://www.venafi.com/blog/self-signed-certificates-cyber-criminals-are-turning-strength-into-a-vulnerability Never may be exaggerated in my post. But in general, you should avoid them. But it all depends on your organization as well, mine is signing internal certificates and managing to include itself in the browsers of all the thousands employees. In a small business, it may not be possible and the number of self-signed certificates may be low. In our organization, in the past we have seen people setting up their own self-signed certificates with too short keys to be secured by today's standards. Regards, ----------------- Daniel Savard
