Hey all, I read about the certName option and have some question marks.
Does certName affects the internal generation of the cert.pem certificate?
Scenario: Installing a new instance with a pre deployed config.xml with
...
<defaults>
<device>
<certName>example</certName>
</device>
</defaults>
...
or is this option just for the cases where the cert file is “manually/off site” generated and placed? Thanks.
Yes. Its just for certificates generated by something else.
Ok, thanks.
While evaluating the manual process in creating an equivalent cert.pem I noticed following:
I’m using
go run $(go env GOROOT)/src/crypto/tls/generate_cert.go --host=syncthing --ecdsa-curve=P384 --duration=$((20*24*365))h
for the custom cert.pem.
One difference to the syncthing cert.pem is, that syncthing adds KeyEncipherment to the KeyUsage list.
https://github.com/syncthing/syncthing/blob/main/lib/tlsutil/tlsutil.go#L113
but following stanza cames from golangs lib:
https://cs.opensource.google/go/go/+/master:src/crypto/tls/generate_cert.go;l=87
// Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In
// the context of TLS this KeyUsage is particular to RSA key exchange and
// authentication.
Just want to mention it here for further assessment …
Is that causing issues?
We used to use RSA keys which is probably why it’s still there.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.