[Freeipa-users] Re: SSL Private Key Recovery

Sun, 07 Oct 2018 20:25:46 -0700 

On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via FreeIPA-users 
wrote:
> Hi all,
> 
> Creating the SSL certs/keys for for example Apache can easily be done
> by using the FreeIPA Dogtag CA-server. With some effort, I put it in an
> Ansible playbook which will install Apache and certficates "on demand".
> 
> Sometimes a server needs to be re-installed ("cattle-servers"); why
> bother about backup/restore when a server can be redeployed within
> minutes. However, a new certificate needs to created; it seems since I
> cannot (re)download the private key once created.
> 
> Now: is it just impossible to (re) download the private ssl key later
> on for re-use?
> 
We don't support key archival in FreeIPA.  The underlying Dogtag CA
software supports it but we don't use that feature.

But I put to you: why bother to archive keys when you can just
generate a fresh keypair and request a new certificate.  If a server
redeployment takes minutes, this is a small cost.  It also has
security benefits (less chance of key compromise of keys are not
archived, key compromise impact is servers are regularly destroyed
and replaced with fresh server with new keys, etc).

The main reason you would archive private keys is for encryption
applications, not authentication (which is what TLS is) or signing.

HTH,
Fraser

> If not possible: FreeIPA vault (KRA) seems a proper way to store
> private key. Correct?
> 
> Thanks!
> 
> Winfried 



> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to