Re: [PLUG] Migrating and updating a CA

brent timothy saner on 2 May 2017 10:09:39 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Migrating and updating a CA

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Migrating and updating a CA
Date: Tue, 2 May 2017 13:09:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to; bh=Of2x3x4gftTJKjq+8X5VMnerT2B6mVgLuUxtqhzTajc=; b=uBkhOnosGGeKnEflPgaMR2nMnN/cnFgp8OioL7Gis25t1ce8OMtTJReMDBW5RSJBbL YLU3Uma+Q0/8Xd5T/ltzd9O9WWgRfP5urHMmAB/Z+AETDrr9W3MO27BmsuFurLfGWiq7 3ej4F4GnRZk4kxI7PvjnDwsPBHBA+1+vjbyWcvwThpJSzntUbjGsB/qVtYViq+RCeHoq oKw9iYnbeNRvnik/ekDki3B02v5kwv2sjWUk/cPZ/w7NRB7IM9wBDbGJBIBwuV/uLTIx PX3TMOZeXTIfu40lf/ZftEQvRjBE94h1lqjZ/FW0XWiKS1M9rhauE4PPdEp8MxdPmrb+ 7CSw==
Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1

On 05/02/2017 01:00 PM, Michael Leone wrote:
> So: how do I migrate over my configured CA from the old VM to a new VM?

just rsync? it depends where on the filesystem it is, but if you're
using just plain ol' openssl and a custom openssl.cnf, that dir should
be all you need. by the way, it's advised that if you're relying on
these certs for any sort of integrity, it's a good idea to airgap the
machine. and yes, i know about signal attacks, but you're much more
likely to be hit by a remote attack against a kernel flaw or such than a
signal eavesdropping attack.

> And then, how to I upgrade my CA root cert itself to SHA-256 (that's
> the latest recommendation, I believe). I do want all my old certs to
> continue working with the new CA root cert.
> 
> I *think* that I need to change my default_md to sha256 in
> openssl.cnf; that will enable all future certs to be sha256, once I
> get a sparkly new VM built, for my upgraded CA..

generally speaking, yes.

> 
> But what of the CA cert? How can I re-issue that, while still
> maintaining backward compatability with my existing certs?

this is precisely why root CA's use intermediary certs. if you were,
this'd be a lot easier. as it stands, i'm assuming you've imported the
CA system-wide on client systems. the only way forward, if you want your
CA cert to be sha256, is to import the new CA cert and remove the old CA
cert on each client.

you CAN sign the old certs with the new CA, but 1.) gut tells me it's
already cached in so many places you're better off gen-ing new certs,
and 2.) you'd also have to update all the other machines to present the
new certificate (the one signed by the new CA) anyways.

nobody said running your own CA is easy.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Migrating and updating a CA
  - From: JP Vossen <jp@jpsdomain.org>
- Re: [PLUG] Migrating and updating a CA
  - From: Michael Leone <turgon@mike-leone.com>

References:
- [PLUG] Migrating and updating a CA
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: [PLUG] Migrating and updating a CA
Next by Date: Re: [PLUG] Migrating and updating a CA
Previous by thread: [PLUG] Migrating and updating a CA
Next by thread: Re: [PLUG] Migrating and updating a CA
Index(es):
- Date
- Thread