[Freeipa-users] Rekey Self-signed CA
Rob Crittenden
rcritten at redhat.com
Fri Apr 11 17:38:43 UTC 2014
Greg Harris wrote:
>> No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way the CA private key could have been exposed.
>>
>> If you've issued SSL certs from the IPA CA for services running OpenSSL you could re-issue those to be on the safe side, but IPA itself uses only NSS on its servers.
>>
>> rob
>>
> Ok, that makes sense. I figured out that the back end, dogtag, was using NSS, but it looked like the web GUI was using OpenSSL. Re-issuing SSL certs for services looks simple enough through the GUI. Thanks for your help.
The GUI uses NSS as well, via mod_nss. We use OpenSSL for some client
libraries in IPA, but so far no servers. We dodged a bullet there.
> All that aside, is there a way to rekey the IPA CA? I’d hate to see the same type of vulnerability announced next week for NSS and not have any recourse.
No. You don't re-key a CA, you create a new one. If the CA private key
is exposed then it's game over. We don't currently provide a way to rip
out the CA and install a replacement. I'm going to get my thoughts
together and file an IPA ticket to look into that. It is a non-trivial
thing though, and with replication it only gets more interesting.
rob
More information about the Freeipa-users
mailing list