[Pulp-list] Pulp v2.4 with SSL
Randy Barlow
rbarlow at redhat.com
Tue Sep 30 14:06:11 UTC 2014
On 09/29/2014 10:28 PM, Trey Dockendorf wrote:
> What would have to be changed besides the apache configuration to
> support using a trusted certificate for accessing Pulp via SSL but
> also allow Pulp to still sign its own certificates? The places that
> mention certificates in the configuration files all seem to indicate
> it's best to use a trusted certificate for production. Is the Pulp CA
> used for activity like pulp-admin something that is setup by default,
> and only Apache needs to be configured with a trusted certificate?
Hi Trey,
You don't need to worry about the Pulp CA. It's internal to Pulp and is
generated at install time. Of course, you are free to replace it with
your own certificate if you like. It is installed at /etc/pki/pulp. This
CA is used to sign user login certificates. When pulp-admin login is
successful, the server creates a client certificate, signs it with that
CA, and hands it back to pulp-admin. pulp-admin then uses this
certificate to authenticate the user for future calls until the
certificate expires.
If you want to serve Pulp with a signed certificate, you need to edit
/etc/httpd/conf.d/ssl.conf. In this file you can change the SSL
certificate and key that Apache uses to serve all SSL content. You can
read about the settings in this file here:
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140930/728dd7db/attachment.sig>
More information about the Pulp-list
mailing list