Greg Harris wrote:
No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way the 
CA private key could have been exposed.

If you've issued SSL certs from the IPA CA for services running OpenSSL you 
could re-issue those to be on the safe side, but IPA itself uses only NSS on 
its servers.


Ok, that makes sense.  I figured out that the back end, dogtag, was using NSS, 
but it looked like the web GUI was using OpenSSL.  Re-issuing SSL certs for 
services looks simple enough through the GUI.  Thanks for your help.

The GUI uses NSS as well, via mod_nss. We use OpenSSL for some client libraries in IPA, but so far no servers. We dodged a bullet there.

All that aside, is there a way to rekey the IPA CA?  I’d hate to see the same 
type of vulnerability announced next week for NSS and not have any recourse.

No. You don't re-key a CA, you create a new one. If the CA private key is exposed then it's game over. We don't currently provide a way to rip out the CA and install a replacement. I'm going to get my thoughts together and file an IPA ticket to look into that. It is a non-trivial thing though, and with replication it only gets more interesting.


Freeipa-users mailing list

Reply via email to