Fraser Tweedale via FreeIPA-users wrote:
> On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via
> FreeIPA-users wrote:
>> Agree, there no real need for storing/recovering the private key, BUT:
>>
>> On some test/development environment server are re-deployed rapidly,
>> sometimes multiple time a day. (ansible and cattle servers....)
>> It is a bit annoying we endup soon with tons of revoked certificates....
>>
>> Winfried
>>
> Why revoke? If the keys get destroyed, there's no need to revoke
> (unless you are aware or suspect key compromise). You can also
> alter the profile (or create a custom profile) to issue short-lived
> certificates, thus avoid the need to revoke (or if you revoke,
> limiting the time the certificate appears in a CRL).
He's not revoking the certs, IPA is. We have discussed stopping doing this.
rob
>
> Cheers,
> Fraser
>
>
>>
>> Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24:
>>> On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via
>>> FreeIPA-users wrote:
>>>> Hi all,
>>>>
>>>> Creating the SSL certs/keys for for example Apache can easily be done
>>>> by using the FreeIPA Dogtag CA-server. With some effort, I put it in
>>>> an
>>>> Ansible playbook which will install Apache and certficates "on
>>>> demand".
>>>>
>>>> Sometimes a server needs to be re-installed ("cattle-servers"); why
>>>> bother about backup/restore when a server can be redeployed within
>>>> minutes. However, a new certificate needs to created; it seems since I
>>>> cannot (re)download the private key once created.
>>>>
>>>> Now: is it just impossible to (re) download the private ssl key later
>>>> on for re-use?
>>>>
>>> We don't support key archival in FreeIPA. The underlying Dogtag CA
>>> software supports it but we don't use that feature.
>>>
>>> But I put to you: why bother to archive keys when you can just
>>> generate a fresh keypair and request a new certificate. If a server
>>> redeployment takes minutes, this is a small cost. It also has
>>> security benefits (less chance of key compromise of keys are not
>>> archived, key compromise impact is servers are regularly destroyed
>>> and replaced with fresh server with new keys, etc).
>>>
>>> The main reason you would archive private keys is for encryption
>>> applications, not authentication (which is what TLS is) or signing.
>>>
>>> HTH,
>>> Fraser
>>>
>>>> If not possible: FreeIPA vault (KRA) seems a proper way to store
>>>> private key. Correct?
>>>>
>>>> Thanks!
>>>>
>>>> Winfried
>>>
>>>
>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
