Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: print sha256 fingerprint of TLS cert to server logs #2192

Merged
merged 1 commit into from
Jun 7, 2022
Merged

server: print sha256 fingerprint of TLS cert to server logs #2192

merged 1 commit into from
Jun 7, 2022

Conversation

dnephin
Copy link
Contributor

@dnephin dnephin commented Jun 3, 2022

This log message will only be printed once, when the cert is first generated. It would be nice to have it printed on every restart, but the way our TLS config is setup right now that is difficult. Maybe we'll be able to fix that as part of #2176 or #2067, which will involve some work in this area.

After the initial cert generation someone with access to the certificate can produce the fingerprint using openssl:

openssl x509 -noout -fingerprint -sha256 -inform pem -in

The certificate is stored in a file in the directory specified by the tlsCache server option.

This fingerprint will be used in #2177, for #1541.

I extracted a couple functions that I expect to use in #2177, but I've left them unexported for now.

@dnephin
improve: print fingerprint of TLS cert to server logs
10b6ba8 
This log message will only be printed once, when the cert is first
generated.

After that someone can produce the fingerprint use openssl as long as
they have access to the PEM file, using:

openssl x509 -noout -fingerprint -sha256 -inform pem -in
@dnephin dnephin requested review from jmorganca and pdevine as code owners June 3, 2022 22:46
@dnephin dnephin requested a review from ssoroka June 3, 2022 22:46
BruceMacD
BruceMacD approved these changes Jun 6, 2022
View reviewed changes
Copy link
Collaborator

@BruceMacD BruceMacD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

@dnephin dnephin merged commit e1d20cb into main Jun 7, 2022
@dnephin dnephin deleted the dnephin/print-cert-fingerprint branch June 7, 2022 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BruceMacD BruceMacD BruceMacD approved these changes

@jmorganca jmorganca Awaiting requested review from jmorganca

@pdevine pdevine Awaiting requested review from pdevine

@ssoroka ssoroka Awaiting requested review from ssoroka

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dnephin @BruceMacD