Merging tlscertfile and tlscafile to only one TLS certificate
Grant Taylor
gtaylor at tnetconsulting.net
Wed Sep 8 21:54:14 UTC 2021
On 9/8/21 2:47 PM, Julien ÉLIE wrote:
> Wouldn't it be better to do the same thing as Apache?
I don't think so. (See below.)
> Is there a reason for separating the certificates?
I believe there is.
To me:
- The tlscertfile is the local machine's certificate. It should
/only/ be accessed by processes on the local system. -- HIGH security.
- The tlscafile is a copy of public certificate(s) from certificate
authorities. It (they) can be accessed by anyone. -- low security.
My personal opinion is that the HIGH security and low security contents
should *NOT* be /mixed/ in the same file.
Aside: There may be some quibble room over public vs private part of
the certificate and wherever the associated key is stored. (I don't
remember off hand.) The key /definitely/ should *NOT* be co-mingled
with anything else of lesser sensitivity.
> (In case there is one global CA file for the news server shared with
> several applications, it might make sense to have it elsewhere so
> maybe that is the reason, though it seems confusing to people.)
I think it would be detrimental to security to share a common
certificate for multiple services. This was highlighted by the recent
ALPACA Attack (alpaca-attack.com).
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20210908/3bd51872/attachment.bin>
More information about the inn-workers
mailing list