Fraser Tweedale via FreeIPA-users wrote: > On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via > FreeIPA-users wrote: >> Agree, there no real need for storing/recovering the private key, BUT: >> >> On some test/development environment server are re-deployed rapidly, >> sometimes multiple time a day. (ansible and cattle servers....) >> It is a bit annoying we endup soon with tons of revoked certificates.... >> >> Winfried >> > Why revoke? If the keys get destroyed, there's no need to revoke > (unless you are aware or suspect key compromise). You can also > alter the profile (or create a custom profile) to issue short-lived > certificates, thus avoid the need to revoke (or if you revoke, > limiting the time the certificate appears in a CRL).
He's not revoking the certs, IPA is. We have discussed stopping doing this. rob > > Cheers, > Fraser > > >> >> Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24: >>> On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via >>> FreeIPA-users wrote: >>>> Hi all, >>>> >>>> Creating the SSL certs/keys for for example Apache can easily be done >>>> by using the FreeIPA Dogtag CA-server. With some effort, I put it in >>>> an >>>> Ansible playbook which will install Apache and certficates "on >>>> demand". >>>> >>>> Sometimes a server needs to be re-installed ("cattle-servers"); why >>>> bother about backup/restore when a server can be redeployed within >>>> minutes. However, a new certificate needs to created; it seems since I >>>> cannot (re)download the private key once created. >>>> >>>> Now: is it just impossible to (re) download the private ssl key later >>>> on for re-use? >>>> >>> We don't support key archival in FreeIPA. The underlying Dogtag CA >>> software supports it but we don't use that feature. >>> >>> But I put to you: why bother to archive keys when you can just >>> generate a fresh keypair and request a new certificate. If a server >>> redeployment takes minutes, this is a small cost. It also has >>> security benefits (less chance of key compromise of keys are not >>> archived, key compromise impact is servers are regularly destroyed >>> and replaced with fresh server with new keys, etc). >>> >>> The main reason you would archive private keys is for encryption >>> applications, not authentication (which is what TLS is) or signing. >>> >>> HTH, >>> Fraser >>> >>>> If not possible: FreeIPA vault (KRA) seems a proper way to store >>>> private key. Correct? >>>> >>>> Thanks! >>>> >>>> Winfried >>> >>> >>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org