On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via FreeIPA-users
wrote:
> Agree, there no real need for storing/recovering the private key, BUT:
>
> On some test/development environment server are re-deployed rapidly,
> sometimes multiple time a day. (ansible and cattle servers....)
> It is a bit annoying we endup soon with tons of revoked certificates....
>
> Winfried
>
Why revoke? If the keys get destroyed, there's no need to revoke
(unless you are aware or suspect key compromise). You can also
alter the profile (or create a custom profile) to issue short-lived
certificates, thus avoid the need to revoke (or if you revoke,
limiting the time the certificate appears in a CRL).
Cheers,
Fraser
>
> Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
> > On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via
> > FreeIPA-users wrote:
> > > Hi all,
> > >
> > > Creating the SSL certs/keys for for example Apache can easily be done
> > > by using the FreeIPA Dogtag CA-server. With some effort, I put it in
> > > an
> > > Ansible playbook which will install Apache and certficates "on
> > > demand".
> > >
> > > Sometimes a server needs to be re-installed ("cattle-servers"); why
> > > bother about backup/restore when a server can be redeployed within
> > > minutes. However, a new certificate needs to created; it seems since I
> > > cannot (re)download the private key once created.
> > >
> > > Now: is it just impossible to (re) download the private ssl key later
> > > on for re-use?
> > >
> > We don't support key archival in FreeIPA. The underlying Dogtag CA
> > software supports it but we don't use that feature.
> >
> > But I put to you: why bother to archive keys when you can just
> > generate a fresh keypair and request a new certificate. If a server
> > redeployment takes minutes, this is a small cost. It also has
> > security benefits (less chance of key compromise of keys are not
> > archived, key compromise impact is servers are regularly destroyed
> > and replaced with fresh server with new keys, etc).
> >
> > The main reason you would archive private keys is for encryption
> > applications, not authentication (which is what TLS is) or signing.
> >
> > HTH,
> > Fraser
> >
> > > If not possible: FreeIPA vault (KRA) seems a proper way to store
> > > private key. Correct?
> > >
> > > Thanks!
> > >
> > > Winfried
> >
> >
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- [email protected]
> > > To unsubscribe send an email to
> > > [email protected]
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedorahosted.org/archives/list/[email protected]
> > _______________________________________________
> > FreeIPA-users mailing list -- [email protected]
> > To unsubscribe send an email to
> > [email protected]
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
