Hi all,
Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?
Thanks!
Winfried
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just generate a fresh keypair and request a new certificate. If a server redeployment takes minutes, this is a small cost. It also has security benefits (less chance of key compromise of keys are not archived, key compromise impact is servers are regularly destroyed and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption applications, not authentication (which is what TLS is) or signing.
HTH, Fraser
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?
Thanks!
Winfried
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Agree, there no real need for storing/recovering the private key, BUT:
On some test/development environment server are re-deployed rapidly, sometimes multiple time a day. (ansible and cattle servers....) It is a bit annoying we endup soon with tons of revoked certificates....
Winfried
Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just generate a fresh keypair and request a new certificate. If a server redeployment takes minutes, this is a small cost. It also has security benefits (less chance of key compromise of keys are not archived, key compromise impact is servers are regularly destroyed and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption applications, not authentication (which is what TLS is) or signing.
HTH, Fraser
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?
Thanks!
Winfried
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Agree, there no real need for storing/recovering the private key, BUT:
On some test/development environment server are re-deployed rapidly, sometimes multiple time a day. (ansible and cattle servers....) It is a bit annoying we endup soon with tons of revoked certificates....
Winfried
Why revoke? If the keys get destroyed, there's no need to revoke (unless you are aware or suspect key compromise). You can also alter the profile (or create a custom profile) to issue short-lived certificates, thus avoid the need to revoke (or if you revoke, limiting the time the certificate appears in a CRL).
Cheers, Fraser
Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just generate a fresh keypair and request a new certificate. If a server redeployment takes minutes, this is a small cost. It also has security benefits (less chance of key compromise of keys are not archived, key compromise impact is servers are regularly destroyed and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption applications, not authentication (which is what TLS is) or signing.
HTH, Fraser
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?
Thanks!
Winfried
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Fraser Tweedale via FreeIPA-users wrote:
On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Agree, there no real need for storing/recovering the private key, BUT:
On some test/development environment server are re-deployed rapidly, sometimes multiple time a day. (ansible and cattle servers....) It is a bit annoying we endup soon with tons of revoked certificates....
Winfried
Why revoke? If the keys get destroyed, there's no need to revoke (unless you are aware or suspect key compromise). You can also alter the profile (or create a custom profile) to issue short-lived certificates, thus avoid the need to revoke (or if you revoke, limiting the time the certificate appears in a CRL).
He's not revoking the certs, IPA is. We have discussed stopping doing this.
rob
Cheers, Fraser
Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just generate a fresh keypair and request a new certificate. If a server redeployment takes minutes, this is a small cost. It also has security benefits (less chance of key compromise of keys are not archived, key compromise impact is servers are regularly destroyed and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption applications, not authentication (which is what TLS is) or signing.
HTH, Fraser
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?
Thanks!
Winfried
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org