Re: [PLUG] Migrating and updating a CA

brent timothy saner on 2 May 2017 10:36:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Migrating and updating a CA

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Migrating and updating a CA
Date: Tue, 2 May 2017 13:36:44 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to; bh=B0mxdfwkPDE48T9P0qd9BgCIVUyq+BHZqmRGkE3HIVw=; b=ssWVsAzR7w/nX6esa9ta08CjFYhFpEDPSUemY1Tjln+TluG/Zur24oyUIpwzKoKAT2 WGyR/th+Aw040PVgmEnBf3ENrD6esiV5mWrgJnW7Y8mZnk2eJU2uNKn98tcOXoU/enMI VeC7FNs+LR9ZZucox9lpzVFCa5fY8ED0MB3xPKHqKNXBC6zORmnAsybi27FaHOgfQ36D jEmVdGEuSpIExvf5XWcwrerNI7soFb7/IfYX7CHcfY3Zll13bL3EEcAi9vrvtvx2Vjdo gdRYdWXHSUqIeyPTYovuHlTtsGCcfCg/jPJTG/VPPSMFcKWz5dWnznDxjCxZScHoGy6+ k8fg==
Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1

On 05/02/2017 01:26 PM, Michael Leone wrote:

> So what do I do? Change the default_md to sha256; request a new cert
> for the CA on the old VM; sign it (sign from the old one, but with the
> new option); take the resulting new cert over to the new VM, and use
> *that* as the new CA cert, and issue from there, from now on?

being that you're upgrading a lot of things here, i'd recommend just
building out a new CA from scratch, to be honest; JP's links are super
useful and informative. also, make sure you kick your keysizes up too;
1024 is no longer really considered "safe". 2048 should be okay unless
you're worried about state-level actors.

but yeah, build it all out with the new ssl. keep the custom openssl.cnf
handy/nearby for referencing options/extensions, but i'd start fresh
with the distro-provided openssl.cnf and go from there. openssl's had a
fair bit of changes here and there over the past two years so the old
openssl.cnf might not even run with the new binary.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Migrating and updating a CA
  - From: Michael Leone <turgon@mike-leone.com>

References:
- [PLUG] Migrating and updating a CA
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] Migrating and updating a CA
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] Migrating and updating a CA
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Migrating and updating a CA
Next by Date: Re: [PLUG] Migrating and updating a CA
Previous by thread: Re: [PLUG] Migrating and updating a CA
Next by thread: Re: [PLUG] Migrating and updating a CA
Index(es):
- Date
- Thread