Michael Leone on 2 May 2017 11:42:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Migrating and updating a CA

On Tue, May 2, 2017 at 1:36 PM, brent timothy saner
<brent.saner@gmail.com> wrote:

> being that you're upgrading a lot of things here, i'd recommend just
> building out a new CA from scratch, to be honest; JP's links are super
> useful and informative. also, make sure you kick your keysizes up too;
> 1024 is no longer really considered "safe". 2048 should be okay unless
> you're worried about state-level actors.

Mine are all 2048 already. :-)

> but yeah, build it all out with the new ssl. keep the custom openssl.cnf
> handy/nearby for referencing options/extensions, but i'd start fresh
> with the distro-provided openssl.cnf and go from there. openssl's had a
> fair bit of changes here and there over the past two years so the old
> openssl.cnf might not even run with the new binary.

Been longer than that for this VM; the OpenSSL is  0.9.8g ...

I should build a new CA, I guess, and push it with GP (with a slightly
different name). The only problem would come when I renew the assigned
certs (really, I only have maybe 6 or 7). But if both CA certs are in
the client store, then when the servers renew their certs from the new
CA, then they should show up as valid for the clients, since the
clients already have the new CA root cert.

And once those 6 or so certs are renewed with the new CA cert, I can
find a way to revoke that old CA cert. Or even just leave it there;
nothing will be using it.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug