brent timothy saner on 2 May 2017 10:09:39 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Migrating and updating a CA

On 05/02/2017 01:00 PM, Michael Leone wrote:
> So: how do I migrate over my configured CA from the old VM to a new VM?

just rsync? it depends where on the filesystem it is, but if you're
using just plain ol' openssl and a custom openssl.cnf, that dir should
be all you need. by the way, it's advised that if you're relying on
these certs for any sort of integrity, it's a good idea to airgap the
machine. and yes, i know about signal attacks, but you're much more
likely to be hit by a remote attack against a kernel flaw or such than a
signal eavesdropping attack.

> And then, how to I upgrade my CA root cert itself to SHA-256 (that's
> the latest recommendation, I believe). I do want all my old certs to
> continue working with the new CA root cert.
> I *think* that I need to change my default_md to sha256 in
> openssl.cnf; that will enable all future certs to be sha256, once I
> get a sparkly new VM built, for my upgraded CA..

generally speaking, yes.

> But what of the CA cert? How can I re-issue that, while still
> maintaining backward compatability with my existing certs?

this is precisely why root CA's use intermediary certs. if you were,
this'd be a lot easier. as it stands, i'm assuming you've imported the
CA system-wide on client systems. the only way forward, if you want your
CA cert to be sha256, is to import the new CA cert and remove the old CA
cert on each client.

you CAN sign the old certs with the new CA, but 1.) gut tells me it's
already cached in so many places you're better off gen-ing new certs,
and 2.) you'd also have to update all the other machines to present the
new certificate (the one signed by the new CA) anyways.

nobody said running your own CA is easy.

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --