|brent timothy saner on 2 May 2017 10:36:59 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Migrating and updating a CA|
On 05/02/2017 01:26 PM, Michael Leone wrote: > So what do I do? Change the default_md to sha256; request a new cert > for the CA on the old VM; sign it (sign from the old one, but with the > new option); take the resulting new cert over to the new VM, and use > *that* as the new CA cert, and issue from there, from now on? being that you're upgrading a lot of things here, i'd recommend just building out a new CA from scratch, to be honest; JP's links are super useful and informative. also, make sure you kick your keysizes up too; 1024 is no longer really considered "safe". 2048 should be okay unless you're worried about state-level actors. but yeah, build it all out with the new ssl. keep the custom openssl.cnf handy/nearby for referencing options/extensions, but i'd start fresh with the distro-provided openssl.cnf and go from there. openssl's had a fair bit of changes here and there over the past two years so the old openssl.cnf might not even run with the new binary.
Description: OpenPGP digital signature
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug