Greg Harris wrote:
No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way the
CA private key could have been exposed.
If you've issued SSL certs from the IPA CA for services running OpenSSL you
could re-issue those to be on the safe side, but IPA itself uses only NSS on
Ok, that makes sense. I figured out that the back end, dogtag, was using NSS,
but it looked like the web GUI was using OpenSSL. Re-issuing SSL certs for
services looks simple enough through the GUI. Thanks for your help.
The GUI uses NSS as well, via mod_nss. We use OpenSSL for some client
libraries in IPA, but so far no servers. We dodged a bullet there.
All that aside, is there a way to rekey the IPA CA? I’d hate to see the same
type of vulnerability announced next week for NSS and not have any recourse.
No. You don't re-key a CA, you create a new one. If the CA private key
is exposed then it's game over. We don't currently provide a way to rip
out the CA and install a replacement. I'm going to get my thoughts
together and file an IPA ticket to look into that. It is a non-trivial
thing though, and with replication it only gets more interesting.
Freeipa-users mailing list