You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is primarily a requirement to work around openssl/openssl#1418. All current OpenSSL releases won't verify certificates when provided a self-signed certificate. It will only accept a self-signed certificate if the verifying certificate includes the KeyCertSign bit in KeyUsage. The simplest way to work around this is first generate a CA cert/key pair, then use that to generate a certificate. The application that needs to trust the generated certificate can verify against the generated CA certificate.
and then using split and indexing to access individual entries. However using this in a Config reliably is again difficult because you either regenerate it every time the config is evaluated (producing a different certificate), or generate it once and never change it (so the certs can't depend on other config inputs).
I'd like to have an equivalent of TLSCert/TLSKey that caches the generated certs and can access them again by name. This provides sufficient longevity to make them useful as an easy onboard tool.
The text was updated successfully, but these errors were encountered:
Adds `TLSCACert`, `TLSCertFromCA`, and `TLSKeyFromCA` to generate a
named CA cert/key pair and access the cert, as well as generate cert/key
pairs from that CA as needed (based on the combination of CA name, cert
name, and common name).
Useful when you need a separate CA certificate, such as working around
openssl/openssl#1418.
Fixesreplicatedhq#844.
This is primarily a requirement to work around openssl/openssl#1418. All current OpenSSL releases won't verify certificates when provided a self-signed certificate. It will only accept a self-signed certificate if the verifying certificate includes the KeyCertSign bit in KeyUsage. The simplest way to work around this is first generate a CA cert/key pair, then use that to generate a certificate. The application that needs to trust the generated certificate can verify against the generated CA certificate.
This can be approximately accomplished with
and then using split and indexing to access individual entries. However using this in a Config reliably is again difficult because you either regenerate it every time the config is evaluated (producing a different certificate), or generate it once and never change it (so the certs can't depend on other config inputs).
I'd like to have an equivalent of TLSCert/TLSKey that caches the generated certs and can access them again by name. This provides sufficient longevity to make them useful as an easy onboard tool.
The text was updated successfully, but these errors were encountered: