On 4/16/2014 7:14 AM, Matti Nykyri <matti.nyk...@iki.fi> wrote:
On Apr 16, 2014, at 13:52, Tanstaafl <tansta...@libertytrek.org> wrote:
Or will simply replacing my self-signed certs with the new real ones be good
enough?
No it will not. Keys are te ones that have been compromised. You need
to create new keys. With those keys you need to create certificate
request. Then you send that request to certificate authority for
signing and publishing in their crl. When you receive the signed
certificate you can start using it with your key. Never send your key
to CA or expect to get a key from them.
Ok, thanks...
But... if I do this (create a new key-pair and CR), will this
immediately invalidate my old ones (ie, will my current production
server stop working until I get the new certs installed)?
I'm guessing not (or else there would be a lot of downtime for lots of
sites involved) - but I've only ever done this once (created the
key-pair, CR and self-signed keys) a long time ago, so want to make sure
I don't shoot myself in the foot...
I have created new self-=signed certs a couple of times since creating
the original key-pair+CR, but never created a new key-pair/CR...
There are also other algorithms the RSA. And also if you wan't to get
PFS you will need to consider your setup, certificate and security
model.
What is PFS?
