On 26.05.2016 11:51, Jiri Kremser wrote:
what about creating a default certificate that is issued by a
commonly
accepted root CA (at least in the modern browsers, not sure about JVM if
there is something similar). On the internets there is a service
https://letsencrypt.org .I haven't tried yet, but it has also some API
for doing it automatically, so we can even go further. What I've tried
is the
https://www.startssl.com and it worked perfectly, I can see the
green https in the chrome :] Both services are for free, but afaik,
don't allow to issue the "star" certificate, but for the dev purposes
all we need is the cert for the localhost, right?
Not sure I got what you mean. Any issuer requires to have the real name
for the host you are registering. So, you can't register "localhost" :)
You'd have to register something like jenkins.kroehling.de (this uses
Let's Encrypt). For Let's Encrypt, it's automated in the way that you
tell it that you want to register "hawkular.domain.tld" and it will make
an HTTP call to
"http://hawkular.domain.tld/letsencrypt-some-file-created-by-cli". So,
this requires the client to have a functional DNS name.
But even if it were possible to register a name like localhost (such as
"hawkular"), your certificate would be revoked by the issuer if you
exposed your private key. One of the common terms among all certificate
providers is that you should take reasonable steps to protect your keys.
- Juca.