[Hawkular-dev] SSL by default
Juraci Paixão Kröhling
jpkroehling at redhat.com
Mon May 30 03:14:46 EDT 2016
On 26.05.2016 11:51, Jiri Kremser wrote:
> what about creating a default certificate that is issued by a commonly
> accepted root CA (at least in the modern browsers, not sure about JVM if
> there is something similar). On the internets there is a service
> https://letsencrypt.org .I haven't tried yet, but it has also some API
> for doing it automatically, so we can even go further. What I've tried
> is the https://www.startssl.com and it worked perfectly, I can see the
> green https in the chrome :] Both services are for free, but afaik,
> don't allow to issue the "star" certificate, but for the dev purposes
> all we need is the cert for the localhost, right?
Not sure I got what you mean. Any issuer requires to have the real name
for the host you are registering. So, you can't register "localhost" :)
You'd have to register something like jenkins.kroehling.de (this uses
Let's Encrypt). For Let's Encrypt, it's automated in the way that you
tell it that you want to register "hawkular.domain.tld" and it will make
an HTTP call to
"http://hawkular.domain.tld/letsencrypt-some-file-created-by-cli". So,
this requires the client to have a functional DNS name.
But even if it were possible to register a name like localhost (such as
"hawkular"), your certificate would be revoked by the issuer if you
exposed your private key. One of the common terms among all certificate
providers is that you should take reasonable steps to protect your keys.
- Juca.
More information about the hawkular-dev
mailing list