I am working out the best way to enable SSL in a new 389 directory suite setup. I found that when updating the SSL certificate, there are problems with the symmetric keys used for attribute encryption. The instructions simply say to delete those entries and have the directory create new keys on startup after a certificate update.
This worries me because if there is encrypted data locked to the lost keys, wouldn't that remain unrecoverable?
Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
Thanks, Russ.
On 10/23/2013 03:34 PM, Russell Beall wrote:
I am working out the best way to enable SSL in a new 389 directory suite setup. I found that when updating the SSL certificate, there are problems with the symmetric keys used for attribute encryption. The instructions simply say to delete those entries and have the directory create new keys on startup after a certificate update.
This worries me because if there is encrypted data locked to the lost keys, wouldn't that remain unrecoverable?
Unless you are actually using attribute encryption, you don't have to worry about this at all.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Especially this: "WARNING If the SSL certificate is expiring and needs to be renewed, export the encrypted backend instance before the renewal. Update the certificate, then re-import the exported LDIF file."
basically, backup your old cert/key, then # db2ldif -n dbname -E to dump your data unencrypted, then change your cert/key, then # ldif2db -n dbname -E to load your data and encrypt with the new key
Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
I'm not sure what you mean. 389 supports regular certs that you obtain from a 3rd party CA. You should not have to create self signed certs if you do not want to.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Thanks, Russ.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Oct 23, 2013, at 3:29 PM, Rich Megginson rmeggins@redhat.com wrote:
Unless you are actually using attribute encryption, you don't have to worry about this at all.
Ok, as long as there are no side effects such as an encrypted changelog or passwords encrypted by those keys. I think I got mixed messages when poring through the message boards from the google search results.
Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
I'm not sure what you mean. 389 supports regular certs that you obtain from a 3rd party CA. You should not have to create self signed certs if you do not want to.
Yes, I was able to install just the cert and CA cert chain from a 3rd party CA. The issue I was hoping to handle was perhaps to separate this cert and use it only on the SSL channels, and then perhaps also use a self-signed cert that could stay the same for long term use with attribute encryption. Then the SSL cert could be updated every few years without affecting attribute encryption and requiring the dump/reimport.
Regards, Russ.
On 10/23/2013 05:33 PM, Russell Beall wrote:
On Oct 23, 2013, at 3:29 PM, Rich Megginson rmeggins@redhat.com wrote:
Unless you are actually using attribute encryption, you don't have to worry about this at all.
Ok, as long as there are no side effects such as an encrypted changelog
Yes, encrypted changelog is affected.
or passwords encrypted by those keys.
No, passwords are generally hashed, not encrypted.
I think I got mixed messages when poring through the message boards from the google search results.
Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
I'm not sure what you mean. 389 supports regular certs that you obtain from a 3rd party CA. You should not have to create self signed certs if you do not want to.
Yes, I was able to install just the cert and CA cert chain from a 3rd party CA. The issue I was hoping to handle was perhaps to separate this cert and use it only on the SSL channels, and then perhaps also use a self-signed cert that could stay the same for long term use with attribute encryption. Then the SSL cert could be updated every few years without affecting attribute encryption and requiring the dump/reimport.
Ah, I see. Yes, that would be nice, to have separate keys for SSL and encryption. Please file an enhancement ticket.
Regards, Russ. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org