tls.create_self_signed_cert misses subjectKeyIdentifier (let bacula-fd fail)

[Christian Michel]

Hi, 

got the following problem, while proof of concept the usage of saltstack a network server config of several servers:

- there is a bacula instance within network, which works with Data Encrytion

- for this purpose, every bacula-client needs it's own key/cert-pair

Normally this key/value pair is created calling 

openssl genrsa -out fd-$HOSTNAME.key 2048
openssl req -new -key fd-$HOSTNAME.key -x509 -out fd-$HOSTNAME.cert -days 7300

This should now be done automatically with salt stack.

Found this as "best practice"

https://groups.google.com/forum/#!msg/salt-users/D1WRJPaE284/Zjz-rXnucG8J

Creating the self signed cert with saltstack works, but this method won't set subjectKeyIdentifier (openssl methods from above do this).

Is there a reason, why create_self_signed_cert won't set subjectKeyIdentifier extension?

Kind Regards

Christian Michel

[Colton Myers]

> Is there a reason, why create_self_signed_cert won't set subjectKeyIdentifier extension?

I am not familiar enough with that module to be able to answer this question intelligently. But it seems like it would be fairly straightforward to add an argument to set that subjectKeyIdentifier extension. Would you mind opening an issue on Github?

Thanks!

--

Colton Myers

Platform Engineer, SaltStack

@basepi on Twitter/Github/IRC

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.