| --- | Log | opened Sun Jan 10 00:00:48 2021 |
| 02:54 | -!- | g0t [~username@dh207-97-150.xnet.hr] has joined #linode |
| 02:54 | -!- | g0t is "username" on #linode |
| 03:30 | -!- | g0t [~username@dh207-97-150.xnet.hr] has quit [Ping timeout: 480 seconds] |
| 03:34 | -!- | g0t [~username@dh207-97-150.xnet.hr] has joined #linode |
| 03:34 | -!- | g0t is "username" on #linode |
| 04:12 | -!- | Shentino [~shentino@096-041-218-191.res.spectrum.com] has quit [Ping timeout: 480 seconds] |
| 04:20 | -!- | jojo [~u0_a157@223.91.74.35] has quit [Ping timeout: 480 seconds] |
| 06:45 | -!- | lls [~lls@0002aa2c.user.oftc.net] has quit [Remote host closed the connection] |
| 07:15 | -!- | NomadJim [~Jim@72.168.160.18] has quit [Ping timeout: 480 seconds] |
| 07:25 | <linbot> | New news from community: How do I work my fully qualified domain name and my root domain to a website <https://www.linode.com/community/questions/20910> |
| 09:31 | -!- | jojo [~u0_a157@2408:8420:6b00:a003:1c17:4dba:e29c:c24a] has joined #linode |
| 09:31 | -!- | jojo is "fu xin son" on #linode |
| 10:25 | -!- | Shentino [~shentino@096-041-218-191.res.spectrum.com] has joined #linode |
| 10:25 | -!- | Shentino is "realname" on #kernelnewbies #qemu #mm #linode #tux3 |
| 10:32 | -!- | xtrWrithe [~xtrWrithe@00027ade.user.oftc.net] has joined #linode |
| 10:32 | -!- | xtrWrithe is "xtrWrithe" on #tor-south #linode #qemu |
| 10:36 | <Cromulent> | Right I need some advice here - I basically need a private and public X.509 key pair for JWT signing and verification |
| 10:37 | <Cromulent> | my thought was that if I created a self signed certificate authority and then generated the key pair from the CA cert I could have the public CA cert verify if the private key was legit |
| 10:37 | <Cromulent> | and then store the CA cert private key in a totally locked down Linode |
| 10:37 | <Cromulent> | am I misunderstanding anything here? |
| 10:59 | <branko> | Well, the terminology you are using looks a bit off to me when talking about X.509. |
| 11:00 | <Cromulent> | in what way? |
| 11:00 | <Cromulent> | I need a pem encoded X.509 key pair - the CA part can be ignored but I was curious about it |
| 11:01 | <branko> | Well, what you care about in the X.509 trust model the most is the certificates - the metadata stored within. E.g. name of issuer etc. Validation of crypto-related stuff (like who signed what, who has posession etc of private key) matters, but that's kinda "in the background". |
| 11:03 | <branko> | So, you'd create your self-signed/root CA (private key + certificate), generate private key for entity, generate certificate signing request with that private key that will contain extra info about the entity, and then issue a certificate based on that CSR. Afterwards you validate the end entity certificate using the CA certificate chain (in your case just the root CA). |
| 11:03 | <branko> | Mind you, CSR can kinda be skipped around, many CAs won't really trust much the info contained within. |
| 11:04 | <branko> | My explanation is also most likely oversimplified too :) |
| 11:04 | <Cromulent> | I see - I'm obviously misunderstanding something here |
| 11:05 | <branko> | Cromulent: To get maybe to one point - "generated teh key pair from the CA" sounds a bit unusual. |
| 11:05 | <branko> | *the |
| 11:06 | <branko> | Cromulent: Well, reading up on some basics might be a good idea - keep in mind one thing, though - in _root_ you trust. |
| 11:07 | <branko> | E.g. you can have a pretty long chain of CA certificates leading to your end entity certificate, but you trust the thing at the top of the chain. That's where you bootstrap the trust. |
| 11:59 | -!- | Shentino [~shentino@096-041-218-191.res.spectrum.com] has quit [Remote host closed the connection] |
| 12:11 | -!- | xtrWrithe [~xtrWrithe@00027ade.user.oftc.net] has quit [Quit: WeeChat 2.4] |
| 12:11 | -!- | xtrWrithe [~xtrWrithe@00027ade.user.oftc.net] has joined #linode |
| 12:11 | -!- | xtrWrithe is "xtrWrithe" on #tor-south #linode #qemu |
| 12:12 | -!- | xtrWrithe [~xtrWrithe@00027ade.user.oftc.net] has quit [] |
| 12:12 | -!- | xtrWrithe [~xtrWrithe@00027ade.user.oftc.net] has joined #linode |
| 12:12 | -!- | xtrWrithe is "xtrWrithe" on #tor-south #linode #qemu |
| 12:16 | <linbot> | New news from community: Theoretical Server Usage <https://www.linode.com/community/questions/20911> |
| 12:18 | <Peng> | v_v |
| 12:29 | -!- | Parshant_test [~oftc-webi@106.215.108.183] has joined #linode |
| 12:29 | -!- | Parshant_test is "OFTC WebIRC Client" on #linode |
| 12:29 | -!- | Parshant_test [~oftc-webi@106.215.108.183] has quit [] |
| 13:03 | -!- | duckydanny [~duckydann@li1301-74.members.linode.com] has quit [Quit: ZNC - http://znc.in] |
| 13:05 | -!- | duckydanny [~duckydann@li1301-74.members.linode.com] has joined #linode |
| 13:05 | -!- | duckydanny is "Dan" on #tor-project #moocows #linode #debian |
| 14:37 | -!- | jojo [~u0_a157@2408:8420:6b00:a003:1c17:4dba:e29c:c24a] has quit [Ping timeout: 480 seconds] |
| 14:41 | <LouWestin> | Cromulent: usually when I've done a self signed cert the web browsers (if you're accessing something via browser) throws huge warning. |
| 14:42 | <Cromulent> | this isn't for a website - this is for signing and verifying JWT |
| 14:42 | <LouWestin> | Ok |
| 14:43 | <Cromulent> | but yeah you are right |
| 14:43 | <LouWestin> | Might be fine. |
| 14:43 | <LouWestin> | Only one way to find out! |
| 14:44 | <LouWestin> | LE would nice if it didn't last for only 90 days |
| 14:45 | <LouWestin> | Sometimes it's a pain to auto renew without certbot and in your case you might not be able to do that anyway. Not too sure. |
| 15:49 | -!- | Shentino [~shentino@096-041-218-191.res.spectrum.com] has joined #linode |
| 15:49 | -!- | Shentino is "realname" on #kernelnewbies #qemu #mm #linode #tux3 |
| 16:29 | <grawity> | Cromulent: in this case, yes, you start by generating a self-signed certificate, but then you can just use it directly for jwt, no need for step 2 |
| 17:38 | -!- | lls [~lls@0002aa2c.user.oftc.net] has joined #linode |
| 17:38 | -!- | lls is "lls" on #linode |
| 18:20 | -!- | aheczko [~oftc-webi@apn-46-215-229-190.dynamic.gprs.plus.pl] has joined #linode |
| 18:20 | -!- | aheczko is "OFTC WebIRC Client" on #linode |
| 18:21 | -!- | aheczko [~oftc-webi@apn-46-215-229-190.dynamic.gprs.plus.pl] has quit [] |
| 18:49 | -!- | jess [~jess@00029d95.user.oftc.net] has quit [Quit: Leaving] |
| 18:55 | -!- | g0t [~username@dh207-97-150.xnet.hr] has quit [Ping timeout: 480 seconds] |
| 19:17 | -!- | retro|blah [retrograde@000196da.user.oftc.net] has quit [Quit: Leaving] |
| 19:17 | -!- | retro|blah [retrograde@000196da.user.oftc.net] has joined #linode |
| 19:17 | -!- | retro|blah is "retrograde inversion" on #linode |
| 19:40 | -!- | u0_a310 [~u0_a310@139.193.218.194] has joined #linode |
| 19:40 | -!- | u0_a310 is "Unknown" on #linode |
| 19:41 | -!- | u0_a310 is now known as J07 |
| 19:41 | <J07> | d |
| 19:41 | <@pwoods> | e |
| 19:41 | -!- | J07 [~u0_a310@139.193.218.194] has quit [] |
| 19:46 | <Ikaros> | Was going to drop an 'f' in there, too bad they left. |
| 19:47 | <@pwoods> | Ikaros: please no f bombs. |
| 19:50 | <Ikaros> | Of course not, why I didn't say "f bomb" lol |
| 19:51 | <Ikaros> | You know, d...e...f...etc |
| 20:02 | <kharlan> | You callin’ me a defetc? |
| 20:09 | <Ikaros> | I'll just be over in my corner now... |
| 20:14 | <kharlan> | :p |
| 20:14 | -!- | packetcat [~staticsaf@00019b48.user.oftc.net] has quit [Quit: WeeChat 2.9] |
| 20:16 | -!- | packetcat [~staticsaf@00019b48.user.oftc.net] has joined #linode |
| 20:16 | -!- | packetcat is "staticsafe" on #linode |
| 20:58 | -!- | |GIG-1 [~MYOB@193.36.225.54] has quit [Quit: usairc org ] |
| 20:59 | -!- | |GIG [~MYOB@193.36.225.39] has joined #linode |
| 20:59 | -!- | |GIG is "J" on #linode #moocows |
| 21:01 | -!- | |GIG [~MYOB@193.36.225.39] has quit [] |
| 21:06 | <LouWestin> | g |
| 21:12 | -!- | |GIG [~MYOB@193.36.225.39] has joined #linode |
| 21:12 | -!- | |GIG is "J" on #linode #moocows |
| 21:13 | -!- | |GIG [~MYOB@193.36.225.39] has quit [Remote host closed the connection] |
| 21:15 | -!- | |GIG [~MYOB@193.36.225.197] has joined #linode |
| 21:15 | -!- | |GIG is "J" on #linode #moocows |
| 21:15 | -!- | |GIG-1 [~MYOB@193.36.225.197] has joined #linode |
| 21:15 | -!- | |GIG-1 is "J" on #linode #moocows |
| 21:19 | -!- | jojo [~u0_a157@223.91.74.35] has joined #linode |
| 21:19 | -!- | jojo is "fu xin son" on #linode |
| 21:23 | -!- | |GIG [~MYOB@193.36.225.197] has quit [Ping timeout: 480 seconds] |
| 21:33 | -!- | jojo [~u0_a157@223.91.74.35] has quit [Ping timeout: 480 seconds] |
| 21:49 | -!- | jojo [~u0_a157@223.91.74.35] has joined #linode |
| 21:49 | -!- | jojo is "fu xin son" on #linode |
| 22:06 | -!- | jojo_ [~u0_a157@223.91.74.35] has joined #linode |
| 22:06 | -!- | jojo_ is "fu xin son" on #linode |
| 22:08 | -!- | jojo [~u0_a157@223.91.74.35] has quit [Ping timeout: 480 seconds] |
| 22:12 | -!- | jojo_ [~u0_a157@223.91.74.35] has quit [Remote host closed the connection] |
| 22:14 | -!- | jojo_ [~u0_a157@223.91.74.35] has joined #linode |
| 22:14 | -!- | jojo_ is "fu xin son" on #linode |
| 22:32 | -!- | metta_ [~Quassel@2a01:4f8:1c0c:49df::1] has joined #linode |
| 22:32 | -!- | metta_ is "metta" on #linode |
| 23:26 | <Shentino> | Btw is there any recourse if someone hacks into my linode account and nukes my vm? |
| 23:26 | <Shentino> | just asking hypothetically |
| 23:29 | <chesty> | Shentino, restore from backups |
| 23:29 | <chesty> | ideally off site backups. |
| --- | Log | closed Mon Jan 11 00:00:49 2021 |