> No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way 
> the CA private key could have been exposed.
> If you've issued SSL certs from the IPA CA for services running OpenSSL you 
> could re-issue those to be on the safe side, but IPA itself uses only NSS on 
> its servers.
> rob
Ok, that makes sense.  I figured out that the back end, dogtag, was using NSS, 
but it looked like the web GUI was using OpenSSL.  Re-issuing SSL certs for 
services looks simple enough through the GUI.  Thanks for your help.

All that aside, is there a way to rekey the IPA CA?  I’d hate to see the same 
type of vulnerability announced next week for NSS and not have any recourse.

Thank you.

Freeipa-users mailing list

Reply via email to