On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Creating the SSL certs/keys for for example Apache can easily be done > by using the FreeIPA Dogtag CA-server. With some effort, I put it in an > Ansible playbook which will install Apache and certficates "on demand". > > Sometimes a server needs to be re-installed ("cattle-servers"); why > bother about backup/restore when a server can be redeployed within > minutes. However, a new certificate needs to created; it seems since I > cannot (re)download the private key once created. > > Now: is it just impossible to (re) download the private ssl key later > on for re-use? > We don't support key archival in FreeIPA. The underlying Dogtag CA software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just generate a fresh keypair and request a new certificate. If a server redeployment takes minutes, this is a small cost. It also has security benefits (less chance of key compromise of keys are not archived, key compromise impact is servers are regularly destroyed and replaced with fresh server with new keys, etc). The main reason you would archive private keys is for encryption applications, not authentication (which is what TLS is) or signing. HTH, Fraser > If not possible: FreeIPA vault (KRA) seems a proper way to store > private key. Correct? > > Thanks! > > Winfried > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org