Fixes #28449: Complete documlentation for the new HTTPS protocol#1133
Conversation
ncharles
left a comment
ncharles
left a comment
There was a problem hiding this comment.
This is a nice change, but there are some typos and imprecision that needs to be corrected
|
|
||
| **Certificates with node ID in SAN** | ||
|
|
||
| By default the server looks for the node id in the certificate in the `UID` value of the `DN`. But it is not always possible to sign such certificates. In this case it is possible to move the node into into the Subject Alternative Name (`SAN`) part of the certificate. |
There was a problem hiding this comment.
"it is not always possible to sign such certificates." isn't the issue in creating this certificate, or issuing this certificate ?
"move the node into into" -> "move the node ID"
There was a problem hiding this comment.
Double into will be fixed in upcoming fixup.
The issue is with obtaining the signed certificate from a CA, it is always possible to generate a certificate request, but a commercial CA will almost always check that the provided DN resolves is DNS and that the requester has effetctive ownership of this machine, which boils down to “its reachable from the Internet using the name provided as DN”, which would not be possible with a node's UID of course.
So the phrasing looks correct to me if we don't want to enter long explanations, the documentation is already somewhat long and complex...
Fixes #28449: Complete documlentation for the new HTTPS protocol
|
PR updated with a new commit |
|
@m-bouissou there is a typo to fix to allow merge |
3 participants
https://issues.rudder.io/issues/28449