Fraser Tweedale via FreeIPA-users wrote:
On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via
FreeIPA-users wrote:
> Agree, there no real need for storing/recovering the private key, BUT:
>
> On some test/development environment server are re-deployed rapidly,
> sometimes multiple time a day. (ansible and cattle servers....)
> It is a bit annoying we endup soon with tons of revoked certificates....
>
> Winfried
>
Why revoke? If the keys get destroyed, there's no need to revoke
(unless you are aware or suspect key compromise). You can also
alter the profile (or create a custom profile) to issue short-lived
certificates, thus avoid the need to revoke (or if you revoke,
limiting the time the certificate appears in a CRL).
He's not revoking the certs, IPA is. We have discussed stopping doing this.
rob
Cheers,
Fraser
>
> Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
>> On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via
>> FreeIPA-users wrote:
>>> Hi all,
>>>
>>> Creating the SSL certs/keys for for example Apache can easily be done
>>> by using the FreeIPA Dogtag CA-server. With some effort, I put it in
>>> an
>>> Ansible playbook which will install Apache and certficates "on
>>> demand".
>>>
>>> Sometimes a server needs to be re-installed ("cattle-servers");
why
>>> bother about backup/restore when a server can be redeployed within
>>> minutes. However, a new certificate needs to created; it seems since I
>>> cannot (re)download the private key once created.
>>>
>>> Now: is it just impossible to (re) download the private ssl key later
>>> on for re-use?
>>>
>> We don't support key archival in FreeIPA. The underlying Dogtag CA
>> software supports it but we don't use that feature.
>>
>> But I put to you: why bother to archive keys when you can just
>> generate a fresh keypair and request a new certificate. If a server
>> redeployment takes minutes, this is a small cost. It also has
>> security benefits (less chance of key compromise of keys are not
>> archived, key compromise impact is servers are regularly destroyed
>> and replaced with fresh server with new keys, etc).
>>
>> The main reason you would archive private keys is for encryption
>> applications, not authentication (which is what TLS is) or signing.
>>
>> HTH,
>> Fraser
>>
>>> If not possible: FreeIPA vault (KRA) seems a proper way to store
>>> private key. Correct?
>>>
>>> Thanks!
>>>
>>> Winfried
>>
>>
>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...