-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 8/31/20 16:28, Christopher Schultz wrote: > Daniel, > > On 8/31/20 11:36, Daniel Savard wrote: >> Le lun. 31 août 2020 à 11:13, Christopher Schultz < >> ch...@christopherschultz.net> a écrit : > >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> >>> Daniel, >>> >>> On 8/28/20 20:46, Daniel Savard wrote: >>>> Le ven. 28 août 2020 à 17:19, Darryl Philip Baker < >>>> darryl.ba...@northwestern.edu> a écrit : >>>> >>>>> I am having an issue that I don’t understand. On >>>>> RHEL6/CentOS and earlier my predecessors would put >>>>> self-signed certificates they wanted to trust in >>>>> /etc/pki/ca-trust/extracted/java/cacerts and it was good >>>>> for the life of the machine. On RHEL7 and I assume CentOS7 >>>>> that file is part of a package that is getting updated as >>>>> part of the regular patches. That wipes out our >>>>> self-signed certificates. The way I understand the >>>>> directions from Red Hat we should put the certificate in >>>>> pem format in the directory >>>>> /etc/pki/ca-trust/source/anchors and run update-ca-trust >>>>> extract and that will update the all the appropriate files. >>>>> Including the cacerts file. That does not seem to happen. >>>>> What is the proper way of handling self-signed certificates >>>>> you want tomcat to trust? >>>>> >>>>> Off topic but you are folks who might know: On a related >>>>> note I have the same issue with Java applications not >>>>> running in Tomcat that use the same file >>>>> /etc/pki….java/cacerts. Am I understanding the PKI update >>>>> process correctly? Am I putting the self-signed certificate >>>>> pem format file in the correct place? >>>>> >>>>> Darryl Baker, GSEC (he/him/his) Sr. System Administrator >>>>> (...) >>>>> >>>>> >>>> You can put your certificates and truststore wherever you >>>> want as long as you tell Tomcat where they are in the >>>> conf/server.xml configuration file when you configure the >>>> connector using them. >>>> >>>> Self-signed certificates should never be used on a >>>> production server, they are not secure. >>> What makes you say that? >>> >>> - -chris (...) > > > >> https://www.venafi.com/blog/self-signed-certificates-cyber-criminals- a > >> re-turning-strength-into-a-vulnerability > > This > > article is talking about securing miscreants' communications. It > really has nothing to do with self-signed certificates. It has to > do with users blindly "trusting" anything which claims to be > trustworthy just because it's encrypted. I've re-read this article and also read their linked article on Heartbleed, and I have come to the conclusion that the writers do not have any clue what they are talking about. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9NYTEACgkQHPApP6U8 pFgDwQ/+J1fhYRIMEjcDOhYmdtX6d3cid7pQ9pjBq3LePbeT+KrFWn7GbJcSU3Bg SpBzZJUg2KB1EzMaZFmXd/OBpdrq+1a08fdjvwnDB1nSmznuIpgRbagm6MWigFlm ghW5+96nQ/6L3a8LTZrjCkO7jxwuIMISYSOLvm9d9m7IHpgKWRl5UjBC/EuWpof6 blApEICEh4sWE9ZEBSYsphba3wP9nAFEKIb0/7ORRvQqkYZtSe/cQsTNXVOTQ9GF nBcT40jMnG3pvEKzz7Gjk+OXhe3tAATBMdCvwzGtmct4QKI7T1B1FWHKZod1zgne FqkX2ryRoq8F8MgDMkamzAQsW+n9WYVfQYDCaLMmoE2x3D3lulOUngL6g4qaA95u TGdeggVgIaOmeJclImbuvE/X2fA89D90sc0XuGbUcXa4uvm8l13RDZVRyuntoXMQ puMXypG0wRqlqfvA3ab4K+gI0AHjZ5tCJeqKMpUV+yOKDlB5ii0YBp6nB21x7C+4 afi4LXgIJsmXMpUp0ggjBmshrJ0KM5rnIdlpCdRKpuKic3Wy+C7sV0FxwOtx5bhj JI/Er4uVeBpXh0gWYpTko+3SqpEPOkdFlCNbPBUZ0UtdeK8BWbQPTpi4evumMj8Z WgLZ+FRS7mD3NAIRERrDKpAsKQK1vmU9t6OfZXV+zE+sZ3n6ap0= =4OMv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
