On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Creating the SSL certs/keys for for example Apache can easily be done
by using the FreeIPA Dogtag CA-server. With some effort, I put it in an
Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why
bother about backup/restore when a server can be redeployed within
minutes. However, a new certificate needs to created; it seems since I
cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later
on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA
software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just
generate a fresh keypair and request a new certificate. If a server
redeployment takes minutes, this is a small cost. It also has
security benefits (less chance of key compromise of keys are not
archived, key compromise impact is servers are regularly destroyed
and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption
applications, not authentication (which is what TLS is) or signing.
If not possible: FreeIPA vault (KRA) seems a proper way to store
private key. Correct?
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines