Agree, there no real need for storing/recovering the private key, BUT:
On some test/development environment server are re-deployed rapidly,
sometimes multiple time a day. (ansible and cattle servers....)
It is a bit annoying we endup soon with tons of revoked certificates....
Winfried
Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via
FreeIPA-users wrote:
Hi all,
Creating the SSL certs/keys for for example Apache can easily be done
by using the FreeIPA Dogtag CA-server. With some effort, I put it in
an
Ansible playbook which will install Apache and certficates "on
demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why
bother about backup/restore when a server can be redeployed within
minutes. However, a new certificate needs to created; it seems since I
cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later
on for re-use?
We don't support key archival in FreeIPA. The underlying Dogtag CA
software supports it but we don't use that feature.
But I put to you: why bother to archive keys when you can just
generate a fresh keypair and request a new certificate. If a server
redeployment takes minutes, this is a small cost. It also has
security benefits (less chance of key compromise of keys are not
archived, key compromise impact is servers are regularly destroyed
and replaced with fresh server with new keys, etc).
The main reason you would archive private keys is for encryption
applications, not authentication (which is what TLS is) or signing.
HTH,
Fraser
If not possible: FreeIPA vault (KRA) seems a proper way to store
private key. Correct?
Thanks!
Winfried
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
