[Freeipa-users] Rekey Self-signed CA
Rob Crittenden
rcritten at redhat.com
Fri Apr 11 00:30:37 UTC 2014
Greg Harris wrote:
> Rob,
>
> Thanks for the quick response. It’s version 3.0, as included in CentOS
> 6.5 EPEL. Yes, I’m running the IPA CA, installed as a self-signed
> setup. By rekey, I mean generating a new Public/Private key pair for
> the CA certificate, and then subsequently rekeying all of the certs
> below. Main reason? Heartbleed.
No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no
way the CA private key could have been exposed.
If you've issued SSL certs from the IPA CA for services running OpenSSL
you could re-issue those to be on the safe side, but IPA itself uses
only NSS on its servers.
rob
More information about the Freeipa-users
mailing list