brent timothy saner on 2 May 2017 10:36:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Migrating and updating a CA

On 05/02/2017 01:26 PM, Michael Leone wrote:

> So what do I do? Change the default_md to sha256; request a new cert
> for the CA on the old VM; sign it (sign from the old one, but with the
> new option); take the resulting new cert over to the new VM, and use
> *that* as the new CA cert, and issue from there, from now on?

being that you're upgrading a lot of things here, i'd recommend just
building out a new CA from scratch, to be honest; JP's links are super
useful and informative. also, make sure you kick your keysizes up too;
1024 is no longer really considered "safe". 2048 should be okay unless
you're worried about state-level actors.

but yeah, build it all out with the new ssl. keep the custom openssl.cnf
handy/nearby for referencing options/extensions, but i'd start fresh
with the distro-provided openssl.cnf and go from there. openssl's had a
fair bit of changes here and there over the past two years so the old
openssl.cnf might not even run with the new binary.

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --