[Jenkins-infra] [#121516] Re: repo.jenkins-ci.org certificate renewal

Kohsuke Kawaguchi kk at kohsuke.org
Tue Feb 11 00:25:16 UTC 2020

OK. I can do that, and I will do that. Can I get your GPG key so that I can
send the key encrypted to you?

I can't resist but saying, though --- operationally this just feels like a
bad security practice. The secret key, side by side with a certificate, has
to travel through however many hops. The standard practice is for the
hosting provider to give me a certificate signing request to get a
certificate issued for. That way, the secret key never leaves the system
that terminates SSL. This is only meant as a data point, so that when
others tell you the same thing you can weigh its priority accordingly.

On Mon, Feb 10, 2020 at 1:02 PM JFrog Support <support at jfrog.com> wrote:

> Hi Kohsuke,
> I got an update on this as to why it hasn't been updated yet. Per my
> engineer, we cannot replace the certificate without the .key file that is
> associated with the certificate, even if it is the same .key as was used
> when the certificate was first installed. Please share a zip that includes
> the key as well as the certificate, so we can replace the certificate.
> Thank you for your patience on this issue. As soon as we have the
> necessary pieces, we'll be able to complete the request.
> Best regards,
> Jason Gloege
> JFrog Support
> [image: JFrog]
> <https://swampup.jfrog.com/?utm_source=Email&utm_medium=Signature&utm_campaign=swampUP_2020&utm_content=HTS_Support>
> ref:_00D20M3v0._5001r2cnsmg:ref

Kohsuke Kawaguchi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20200210/7ea13f23/attachment.html>

More information about the Jenkins-infra mailing list