Michael Leone on 2 May 2017 11:42:40 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Migrating and updating a CA |
On Tue, May 2, 2017 at 1:36 PM, brent timothy saner <brent.saner@gmail.com> wrote: > being that you're upgrading a lot of things here, i'd recommend just > building out a new CA from scratch, to be honest; JP's links are super > useful and informative. also, make sure you kick your keysizes up too; > 1024 is no longer really considered "safe". 2048 should be okay unless > you're worried about state-level actors. Mine are all 2048 already. :-) > but yeah, build it all out with the new ssl. keep the custom openssl.cnf > handy/nearby for referencing options/extensions, but i'd start fresh > with the distro-provided openssl.cnf and go from there. openssl's had a > fair bit of changes here and there over the past two years so the old > openssl.cnf might not even run with the new binary. Been longer than that for this VM; the OpenSSL is 0.9.8g ... I should build a new CA, I guess, and push it with GP (with a slightly different name). The only problem would come when I renew the assigned certs (really, I only have maybe 6 or 7). But if both CA certs are in the client store, then when the servers renew their certs from the new CA, then they should show up as valid for the clients, since the clients already have the new CA root cert. And once those 6 or so certs are renewed with the new CA cert, I can find a way to revoke that old CA cert. Or even just leave it there; nothing will be using it. Thanks ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug