Red Hat Bugzilla – Bug 1259449
Include the CA certificate for *.access.redhat.com in ca-certificates
Last modified: 2016-07-03 21:35:18 EDT
The certificates attached to this BZ should be added to the ca-certificates RPM to facilitate communication back to the Red Hat Customer Portal.
Created attachment 1069493 [details]
Created attachment 1069494 [details]
This BZ should be implemented in conjunction with BZ1259456
After talking to Kai, putting the *.redhat.com CAs in ca-certificates isn't a good idea as it is intended to be a global repository. I'm going to close this BZ.
I saw you have filed
which requests to add our own CA to the systemwide list of trusted CA
This is the first time I see such a request. I believe that in the past
certificfates from global CAs have been used for certificates for our corporate
websites. Can you please tell me, who has discussed and decided that this
strategy should be used?
In my opinion, we should avoid including a CA that could be used to issue
certificates for any website.
If you really need to include a CA, because you must issue your own certificates
to access corporate websites, you should be aware of the following: Only users
of our operating system will be able to connect to our site directly. Everyone
else will see security warnings in their browser, that our site isn't trusted.
If you are aware of that, and would like to use this approach (own CA) anyway,
then I would like to request that we add constrain that CA.
It is possible to add a domain name constraints extension to a root CA
certificate, which limits for which domains certificates can be issued.
Given the potential of abuse of a CA certificate, it would give our customers
the guarantee that we intend to use the CA we're adding only for our own sites,
not for anything else.
Please let me know what you think, I'm interested to hear about your
motiviations for that request, and if you're OK with the constraint that I'm
(On a side note, I couldn't download your attachments from the bug, it seems you
have attached HTML documents, not certificates?)
Thanks and Regards