You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pivot.apache.org by Niclas Hedhman <ni...@hedhman.org> on 2009/03/10 03:05:53 UTC
Re: SSL certificate
On Tue, Mar 10, 2009 at 3:07 AM, Greg Brown <gk...@mac.com> wrote:
> Niclas/Martijn,
>
> One of the items we had requested in our original Incubator proposal is an SSL certificate to be used for code signing. We have a number of demo applets that are currently signed with a temporary certificate (which has actually expired). Ideally, we would sign our JARs with a valid certificated signed by the Incubator. Is such a thing available - if so, how do we go about getting one?
1. First of all, this is not a "private" issue and can be discussed in the open.
2. I have no clue how these things work. Martijn, do you know anything?
IIRC, SSL must be negotiated prior to passing into Virtual Host
resolution, so only one SSL Cert per IP, but the Cert must contain the
virtual host it serves. This limitation is perhaps more than what can
be handled. There is no PKI infrastructure at the ASF, although it has
been discussed for many years.
The right place is to ask on infrastructure@apache.org. There you have
the guys who really understand networks, and exactly how the Apache
system is composed. They are no different than any other mailing list,
so just follow regular netiquette and you will get concise answers.
Cheers
Niclas
--
http://www.qi4j.org - New Energy for Java
Re: SSL certificate
Posted by Paul Querna <pa...@querna.org>.
On Tue, Mar 10, 2009 at 7:10 AM, Todd Volkert <tv...@gmail.com> wrote:
> Yeah, what we need is a JavaSoft Developer Code Signing Certificate,
> and I think Greg was asking if Apache or the Incubator project has a
> shared cert that we may use.
I do not believe we have any code signing certificates at the ASF at this time.
We have the RM sign things with their GPG keys personally, rather than
a single shared certificate.
> On Tue, Mar 10, 2009 at 9:40 AM, Greg Brown <gk...@mac.com> wrote:
>>>IIRC, SSL must be negotiated prior to passing into Virtual Host
>>>resolution, so only one SSL Cert per IP, but the Cert must contain the
>>>virtual host it serves. This limitation is perhaps more than what can
>>>be handled. There is no PKI infrastructure at the ASF, although it has
>>>been discussed for many years.
>>
>> Oops. Just realized that I incorrectly referred to this as an "SSL" cert - we don't need the cert for SSL, we need it to sign our JARs. Sorry for the confusion.
>>
>> G
>>
>>
>>
>
Re: SSL certificate
Posted by Todd Volkert <tv...@gmail.com>.
Yeah, what we need is a JavaSoft Developer Code Signing Certificate,
and I think Greg was asking if Apache or the Incubator project has a
shared cert that we may use.
-T
On Tue, Mar 10, 2009 at 9:40 AM, Greg Brown <gk...@mac.com> wrote:
>>IIRC, SSL must be negotiated prior to passing into Virtual Host
>>resolution, so only one SSL Cert per IP, but the Cert must contain the
>>virtual host it serves. This limitation is perhaps more than what can
>>be handled. There is no PKI infrastructure at the ASF, although it has
>>been discussed for many years.
>
> Oops. Just realized that I incorrectly referred to this as an "SSL" cert - we don't need the cert for SSL, we need it to sign our JARs. Sorry for the confusion.
>
> G
>
>
>
Re: SSL certificate
Posted by Greg Brown <gk...@mac.com>.
>IIRC, SSL must be negotiated prior to passing into Virtual Host
>resolution, so only one SSL Cert per IP, but the Cert must contain the
>virtual host it serves. This limitation is perhaps more than what can
>be handled. There is no PKI infrastructure at the ASF, although it has
>been discussed for many years.
Oops. Just realized that I incorrectly referred to this as an "SSL" cert - we don't need the cert for SSL, we need it to sign our JARs. Sorry for the confusion.
G
Re: SSL certificate
Posted by Greg Brown <gk...@mac.com>.
>1. First of all, this is not a "private" issue and can be discussed in the open.
OK - it seemed more like an infrastructure issue than a dev issue, so I thought private was a better place for it. But I will use dev in the future.
>IIRC, SSL must be negotiated prior to passing into Virtual Host
>resolution, so only one SSL Cert per IP, but the Cert must contain the
>virtual host it serves. This limitation is perhaps more than what can
>be handled. There is no PKI infrastructure at the ASF, although it has
>been discussed for many years.
We actually don't need to install the cert on the server - we need to embed it in the JARs. I'll ask infrastructure@apache.org.
Thanks,
Greg