On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via FreeIPA-users wrote: > Agree, there no real need for storing/recovering the private key, BUT: > > On some test/development environment server are re-deployed rapidly, > sometimes multiple time a day. (ansible and cattle servers....) > It is a bit annoying we endup soon with tons of revoked certificates.... > > Winfried > Why revoke? If the keys get destroyed, there's no need to revoke (unless you are aware or suspect key compromise). You can also alter the profile (or create a custom profile) to issue short-lived certificates, thus avoid the need to revoke (or if you revoke, limiting the time the certificate appears in a CRL).
Cheers, Fraser > > Fraser Tweedale via FreeIPA-users schreef op 08-10-2018 5:24: > > On Fri, Oct 05, 2018 at 04:43:15PM +0200, Winfried de Heiden via > > FreeIPA-users wrote: > > > Hi all, > > > > > > Creating the SSL certs/keys for for example Apache can easily be done > > > by using the FreeIPA Dogtag CA-server. With some effort, I put it in > > > an > > > Ansible playbook which will install Apache and certficates "on > > > demand". > > > > > > Sometimes a server needs to be re-installed ("cattle-servers"); why > > > bother about backup/restore when a server can be redeployed within > > > minutes. However, a new certificate needs to created; it seems since I > > > cannot (re)download the private key once created. > > > > > > Now: is it just impossible to (re) download the private ssl key later > > > on for re-use? > > > > > We don't support key archival in FreeIPA. The underlying Dogtag CA > > software supports it but we don't use that feature. > > > > But I put to you: why bother to archive keys when you can just > > generate a fresh keypair and request a new certificate. If a server > > redeployment takes minutes, this is a small cost. It also has > > security benefits (less chance of key compromise of keys are not > > archived, key compromise impact is servers are regularly destroyed > > and replaced with fresh server with new keys, etc). > > > > The main reason you would archive private keys is for encryption > > applications, not authentication (which is what TLS is) or signing. > > > > HTH, > > Fraser > > > > > If not possible: FreeIPA vault (KRA) seems a proper way to store > > > private key. Correct? > > > > > > Thanks! > > > > > > Winfried > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org