xrdp (Remote Desktop Protocol server) uses openssl generated X.509 certificate to encrypt traffic with the clients.
The upstream uses common name www.xrdp.org and a specific location in the US. It also makes the certificate valid for 365 days. https://github.com/neutrinolabs/xrdp/blob/250bb610258fe762871aa2c479a1e5f485e88b89/keygen/Makefile.am
In the xrdp-0.9.1-1 package (currently in RawHide only), common name is set to XRDP, no location is specified. The certificate is valid for 3652 days (10 years). The certificate is generated when the package is installed.
When clients connect, they get the certificate and present it to the user. Are there any guidelines about the distinguished name? Should Fedora be mentioned? How about the hostname? The version of xrdp should probably be omitted to make it harder for attackers to look for old software.
Also, should the certificate go to /etc/pki/xrdp? Whatever files I see under /etc/pki appear to be common for all hosts. That is, those are certificates for something outside the Fedora system. The xrdp certificate is specific to the system.
How long should the certificate be valid?
This isn't really the type of thing you'd contact the committee directly about. All we can really tell you is that your questions are valid, but that we have no guidelines which would provide answers to them. I know I'm not qualified to provide reasonable answers to some of those. This is really the kind of thing you'd discuss on the packaging list, and if anyone wants to take the results of that discussion and propose some packaging guidelines, then the committee would get involved.
I do wonder if sscg, as mentioned in https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup, can help here. But then I probably wonder that because I'm not sure how these certificates differ from the usual certificates used for TLS.
Login to comment on this ticket.