On Tuesday, 21 July 2020 09:13:18 PDT Alexander Carôt wrote: > Well, it's worth learning it and also from your answer I understand that the > current files in the example server do *not* work. This is a good > confirmation because indeed it doesn't :-)
Whether they work or not is irrelevant, since you shouldn't be shipping the same certificate to all users. You'd have to make it extremely long-lived (expiry 20 years from now). Generating a short-lived one (3 months) limits the damage if it somehow gets misused. > So - I will try to keep track on this and let you know how it goes. > > In case anyone else can send me a pointer how to generate a versatile > localhost-certificate (CERT and KEY File) which works on *any* machine > please let me know. Certificate generation requires these steps: 1) create a private/public key pair (usually RSA, but doesn't need to be). Creating a private key usually involves random number, so please be sure that OpenSSL's random generator is properly seeded, if it can't be guaranteed to auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and requires no seeding[*], so you can use it to generate random data to seed OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 bits), so you may want to investigate an elliptic curve key instead, which would reduce the computation time. 2) create a certificate-signing request (CSR), which contains the certificate header fields. Notably, it has the CN (Common Name) field, which identifies which hostnames it applies for. You want "localhost" 3) sign the CSR. You'll sign with the key used in #1, causing this to be self- signed. The result is the certificate. There are lots of examples on the Internet on how to do this with the openssl command. You'll have to find out how to do it with the API, if you don't want to ship the command. For anyone wondering about turning off the SSL error on self-signed certificates: self-signing isn't inherently bad. The SSL error comes not because the certificate is self-signed, but because it's not signed by any certificate in the Certificate Authority list. The fact it's self-signed is simply extra information, as it's the most common cause of an authority not being found. But if you add the certificate itself to the CA list (in fact, make it the only entry!), then it'll match to a CA and you get no SSL error. [*] this is also why René is having problems with the RDRAND instruction in the other thread. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel DPG Cloud Engineering _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
