http://bugzilla.novell.com/show_bug.cgi?id=550395
User kkaempf@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=550395#c3
Klaus Kämpf
(In reply to comment #0)
The current yast2-webclient ssl certificate is self-generated. It should be replaced by something more trustworthy ...
Please define "something more trustworthy".
As the appliance gets updates from an SLMS server, the slms<->appliance and the appliance<->browser communication could be based on the same CA. Thats the basic assumption.
And btw.: we are not talking about "client certifcates" here - this is an authentication technology based on SSL certificates.
We could create a general server certifcate or an entire CA and ship it, but this does not change the trustworthiness. To the contrary: if the certificate key file is published, everybody could decrypt the SSL traffic. So the current situation is the best I can imagine for now.
So its up to the vendor to create (and install) a certificate ?!
If it comes to deployment every customer has to create his own certificate(s)
customer ? I guess you mean 'vendor', the one creating the appliance.
for his system(s) anyway, as he can only trust a certificate he created and implemented himself and it has to match his domainname(s). We can not do this for him. We can only help by pointing him to the yast2-ca-management module.
For his appliances he thus has to use a certificate whose CA is already part of the openssl-certs package and make sure it gets into the appliance _or_ he has to make sure that his own CA certificate file gets into the appliance.
I discussed the latter with Michael Calmer and we agreed that SLMS should not import any CA certifcate automatically. As this is a step that touches the trust relationship between two systems, parties or even companies this has to be a deliberate action.
Agreed. Question is, whats the default certificate delivered with yast2-webclient ? The current one is self-generated ('webyast team') and serves the needs to run over https. Since its packaged inside a(n autobuild) signed package, it has an established chain of trust. Can we package a 'Novell Inc' or 'SUSE Linux Products GmbH' certificate instead ? Which advice can we give appliance vendors ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.