Skip to main content

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

  • From: Yiteng Zhang < >
  • To:
  • Subject: [pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring
  • Date: Fri, 13 Dec 2013 12:02:51 -0800

On 12/13/13 10:54 AM, Erik Trauschke wrote:


On 12/13/13 10:40 AM, Yiteng Zhang wrote:
On 12/13/13 10:25 AM, Danek Duvall wrote:
Yiteng Zhang wrote:

Hi,

For this one, I regenerated the certificates and keys with updated
validate
duration for test suite. Please see the following link and let me
know your
comments.

https://ips.java.net/webrev/yitezhan/17913496/
Why the changes to generate_certs?
Hi,

To change generate_certs.py is to keep the generated keys stored in the
old format, which is created by OpenSSl 0.9.8 and not encrypted. The
problem is when I use the original generate_certs.py file, it would use
OpenSSl 1.0.0 and generate the keys in an encrypted format. And since
Apache has no support for encrypted private keys currently, refer to
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxymachinecertificatefile,
Apache can not read the encrypted keys and would fail. Thanks to Erik
pointing out this issue.

One more thing I realized reading this the second time.

We are using OpenSSL 1.0.0 either way, the only thing changed is the *default* key format. We just have to make sure that we don't use the default key format for 1.0.0 but use the format which was default for 0.9.8.

Erik

Cool, I think I missed the important part in my last message. It is nothing related to the encryption since we also specify "-nodes" in the "openssl rsa" command. It is about the key format. We used to generate PKCS#1 RSA private key format as denoted by|
-----BEGIN RSA PRIVATE KEY-----

And now openssl 1.0.0 would generate a PKCS#8 private key format as denoted by
-----BEGIN PRIVATE KEY-----

which is probably not accepted by Apache?

So we need to keep the old format.

Yiteng

|


[pkg-discuss] Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/16/2013
 
 
Close
loading
Please Confirm
Close