The demo CA used in quickstart is expiring this year.
Already for 6.5.1 the new one should be used. Of course certs for other services are needed too.
Some suggestions from Krzysztof:
- no EMAILADDRESS in DNs - it is deprecated since years and highly non portable.
- longer validity - 30 years?
- as this is demo - maybe we can have it public, so other, non-FZJ based
services would have the demo certs from the same CA? in Something like
demo ca we have (but probably only I'm using it) for generating Unit
testing certificates in securityFramework/dummyCA?
- in quickstart I'd split demo truststore from keystores. Should suggest
the proper approach. Of course with one truststore for all services.
Log in to post a comment.