LE0N
November 26, 2021, 5:20pm
1
Hey all, I read about the certName option and have some question marks.
Does certName affects the internal generation of the cert.pem certificate?
Scenario: Installing a new instance with a pre deployed config.xml with
...
<defaults>
<device>
<certName>example</certName>
</device>
</defaults>
...
or is this option just for the cases where the cert file is “manually/off site” generated
and placed? Thanks.
Yes. Its just for certificates generated by something else.
1 Like
LE0N
November 27, 2021, 7:27pm
3
Ok, thanks.
While evaluating the manual process in creating an equivalent
cert.pem I noticed following:
I’m using
go run $(go env GOROOT)/src/crypto/tls/generate_cert.go --host=syncthing --ecdsa-curve=P384 --duration=$((20*24*365))h
for the custom cert.pem.
One difference to the syncthing cert.pem is, that syncthing adds KeyEncipherment to the KeyUsage list.
https://github.com/syncthing/syncthing/blob/main/lib/tlsutil/tlsutil.go#L113
but following stanza cames from golangs lib:
https://cs.opensource.google/go/go/+/master:src/crypto/tls/generate_cert.go;l=87
// Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In
// the context of TLS this KeyUsage is particular to RSA key exchange and
// authentication.
Just want to mention it here for further assessment …
Is that causing issues?
We used to use RSA keys which is probably why it’s still there.
1 Like
system
(system)
Closed
December 27, 2021, 7:45pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.