From: Tanstaafl <tanstaafl@libertytrek.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Wed, 16 Apr 2014 13:56:57 -0400 [thread overview]
Message-ID: <534EC469.1090406@libertytrek.org> (raw)
In-Reply-To: <1B52707A-ABAE-4FEF-98F2-BF64D48F7EB3@iki.fi>
On 4/16/2014 7:14 AM, Matti Nykyri <matti.nykyri@iki.fi> wrote:
> On Apr 16, 2014, at 13:52, Tanstaafl <tanstaafl@libertytrek.org> wrote:
>> Or will simply replacing my self-signed certs with the new real ones be good enough?
> No it will not. Keys are te ones that have been compromised. You need
> to create new keys. With those keys you need to create certificate
> request. Then you send that request to certificate authority for
> signing and publishing in their crl. When you receive the signed
> certificate you can start using it with your key. Never send your key
> to CA or expect to get a key from them.
Ok, thanks...
But... if I do this (create a new key-pair and CR), will this
immediately invalidate my old ones (ie, will my current production
server stop working until I get the new certs installed)?
I'm guessing not (or else there would be a lot of downtime for lots of
sites involved) - but I've only ever done this once (created the
key-pair, CR and self-signed keys) a long time ago, so want to make sure
I don't shoot myself in the foot...
I have created new self-=signed certs a couple of times since creating
the original key-pair+CR, but never created a new key-pair/CR...
> There are also other algorithms the RSA. And also if you wan't to get
> PFS you will need to consider your setup, certificate and security
> model.
What is PFS?
next prev parent reply other threads:[~2014-04-16 17:57 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 10:52 [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Tanstaafl
2014-04-16 11:14 ` Matti Nykyri
2014-04-16 17:56 ` Tanstaafl [this message]
2014-04-17 5:59 ` Matti Nykyri
2014-04-17 6:10 ` Mick
2014-04-17 14:40 ` Matti Nykyri
2014-04-17 15:49 ` Mick
2014-04-17 16:54 ` Joe User
2014-04-17 18:43 ` Matti Nykyri
2014-04-17 20:17 ` [gentoo-user] " walt
2014-04-18 5:50 ` Matti Nykyri
2014-04-18 14:27 ` Dale
2014-04-18 16:45 ` Mick
2014-04-18 18:08 ` Dale
2014-04-18 19:01 ` Mick
2014-04-18 20:27 ` Dale
2014-04-18 23:33 ` Mick
2014-04-19 15:29 ` Dale
2014-04-19 15:43 ` Matti Nykyri
2014-04-19 19:33 ` Dale
2014-04-19 19:43 ` Joe User
2014-04-19 21:23 ` Dale
2014-04-20 0:18 ` Peter Humphrey
2014-04-20 8:49 ` Mick
2014-04-20 9:21 ` Matti Nykyri
2014-04-20 10:26 ` Mick
2014-04-19 16:11 ` Mick
2014-04-19 18:41 ` Dale
2014-04-20 8:27 ` Mick
2014-04-20 9:10 ` Dale
2014-04-20 12:38 ` Mick
2014-04-20 16:40 ` Matti Nykyri
2014-04-20 17:20 ` Joe User
2014-04-21 6:57 ` Matti Nykyri
2014-04-20 18:36 ` Dale
2014-04-19 11:51 ` [gentoo-user] " Mick
2014-04-19 13:17 ` Joe User
2014-04-19 15:38 ` Matti Nykyri
2014-04-19 16:40 ` Joe User
2014-04-19 17:14 ` Mick
2014-04-20 23:20 ` Mick
2014-04-21 7:11 ` Matti Nykyri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534EC469.1090406@libertytrek.org \
--to=tanstaafl@libertytrek.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox