[Jenkins-infra] [#121516] Re: repo.jenkins-ci.org certificate renewal
kk at kohsuke.org
Tue Feb 11 02:11:23 UTC 2020
If I'm reading GoDaddy's UI right, if I generate a new private key and
obtain a new certificate for that key, I have 72 hours until the old
certificate (the one that's currently serving the live traffic) is revoked.
So we need to time this right. What is the time window you can work on
this? I'm also traveling over the next 8 days, so we want to make sure we
find the right window to do this.
On Mon, Feb 10, 2020 at 4:25 PM Kohsuke Kawaguchi <kk at kohsuke.org> wrote:
> OK. I can do that, and I will do that. Can I get your GPG key so that I
> can send the key encrypted to you?
> I can't resist but saying, though --- operationally this just feels like a
> bad security practice. The secret key, side by side with a certificate, has
> to travel through however many hops. The standard practice is for the
> hosting provider to give me a certificate signing request to get a
> certificate issued for. That way, the secret key never leaves the system
> that terminates SSL. This is only meant as a data point, so that when
> others tell you the same thing you can weigh its priority accordingly.
> On Mon, Feb 10, 2020 at 1:02 PM JFrog Support <support at jfrog.com> wrote:
>> Hi Kohsuke,
>> I got an update on this as to why it hasn't been updated yet. Per my
>> engineer, we cannot replace the certificate without the .key file that is
>> associated with the certificate, even if it is the same .key as was used
>> when the certificate was first installed. Please share a zip that includes
>> the key as well as the certificate, so we can replace the certificate.
>> Thank you for your patience on this issue. As soon as we have the
>> necessary pieces, we'll be able to complete the request.
>> Best regards,
>> Jason Gloege
>> JFrog Support
>> [image: JFrog]
> Kohsuke Kawaguchi
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Jenkins-infra