On Tue, Oct 9, 2018 at 4:56 AM Stef Walter <swalter(a)redhat.com> wrote:
On 09/10/2018 08:47, Paul Cuzner wrote:
> Excellent.
>
> Will this also work with self-signed, or would you simply specify
> validate false?
The latter. The following for self-signed:
{ "tls": { "validate": false } }
In particular self-signed certificates do not have anything appropriate
to put under "authority" in order to make them validate.
Tangentially related: I'd recommend using a signed certificate rather
than a self-signed one, even in testing environments. You'd be
surprised how often people get into the habit of doing "validate:
false" everywhere and then get into trouble. I wrote a handy little
tool a while ago (packaged on Fedora and EPEL) called sscg (the Simple
Signed Certificate Generator) that will create a safe certificate for
the same use-cases as self-signed, except that it contains a
certificate authority you can import in your clients that will
validate only this service.
See
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates...
for details on how it works and
http://github.com/sgallagher/sscg for
the source.