I think foreman and smartproxy will use the puppet certificate infrastructure (as is default in the foreman installer), so that leaves us with a few others. Pro for a wildcard is that it's easy. You can secure lots of services with just one certificate. Con is that if one service is compromised and the private key leaks, you need to replace the certificate on all services. Given we want to set up everything and still starting up I'm favoring ease thus a wildcard. Regarding security I hope that we eventually can use DNSSEC + DANE so we can use self-signed certificates (so without a CA), but also without the downsides of nobody trusting it. That will require RH IT to support DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe this will be the future of SSL certificates. See http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
I vote wildcard if we're just gonna use it to protect our web.
I admit to being a bit stupid here as to the differences.
My contact at Red Hat IT (who will get for us what we need) indicated one-per-subdomain is considered more secure, but didn't have a problem ordering a wildcard for us.
- Karsten
On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade@redhat.com>wrote:
On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.