SSL

Ewoud Kohl van Wijngaarden ewoud+ovirt at kohlvanwijngaarden.nl
Wed Apr 3 14:26:59 UTC 2013 

I think foreman and smartproxy will use the puppet certificate
infrastructure (as is default in the foreman installer), so that leaves
us with a few others.

Pro for a wildcard is that it's easy. You can secure lots of services
with just one certificate. Con is that if one service is compromised and
the private key leaks, you need to replace the certificate on all
services.

Given we want to set up everything and still starting up I'm favoring
ease thus a wildcard.

Regarding security I hope that we eventually can use DNSSEC + DANE so we
can use self-signed certificates (so without a CA), but also without the
downsides of nobody trusting it. That will require RH IT to support
DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe
this will be the future of SSL certificates. See
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
> On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
> > I vote wildcard if we're just gonna use it to protect our web.
> 
> I admit to being a bit stupid here as to the differences.
> 
> My contact at Red Hat IT (who will get for us what we need) indicated
> one-per-subdomain is considered more secure, but didn't have a problem
> ordering a wildcard for us.
> 
> - Karsten
> 
> > On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade at redhat.com>wrote:
> > 
> >> On 03/27/2013 02:44 PM, Mike Burns wrote:
> >>> On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
> >>>> We can get an SSL cert for each subdomain, or we can get a wildcard
> >>>> cert. My understanding is that it is more secure to use
> >>>> one-per-subdomain.
> >>>>
> >>>> Presuming we want the one-per model, what are the subdomains we need to
> >>>> get a cert for?
> >>>>
> >>>> gerrit.ovirt.org
> >>>> jenkins.ovirt.org
> >>>> resources.ovirt.org
> >>>> foreman.ovirt.org
> >>>> smartproxy.ovirt.org
> >>>> lists.ovirt.org
> >>>>
> >>>
> >>> etherpad?
> >>> what about base ovirt.org (the wiki)?
> >>
> >> +1 to both (www, etherpad).
> >>
> >> Basically, anything that has a login over HTTP.

More information about the Infra mailing list