> No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way 
> the CA private key could have been exposed.
> 
> If you've issued SSL certs from the IPA CA for services running OpenSSL you 
> could re-issue those to be on the safe side, but IPA itself uses only NSS on 
> its servers.
> 
> rob
> 
Ok, that makes sense.  I figured out that the back end, dogtag, was using NSS, 
but it looked like the web GUI was using OpenSSL.  Re-issuing SSL certs for 
services looks simple enough through the GUI.  Thanks for your help.

All that aside, is there a way to rekey the IPA CA?  I’d hate to see the same 
type of vulnerability announced next week for NSS and not have any recourse.

Thank you.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to