From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DFF4B138A1F for ; Wed, 16 Apr 2014 17:57:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 971ADE0CA7; Wed, 16 Apr 2014 17:57:44 +0000 (UTC) Received: from homiemail-a45.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by pigeon.gentoo.org (Postfix) with ESMTP id 855C2E0C20 for ; Wed, 16 Apr 2014 17:57:42 +0000 (UTC) Received: from homiemail-a45.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a45.g.dreamhost.com (Postfix) with ESMTP id 52348480A6 for ; Wed, 16 Apr 2014 10:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=libertytrek.org; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s= libertytrek.org; bh=Cp6KDx0wLxm2zoMBhxRZe9kMNfA=; b=aHCfzOSYSy+v +WKGPkDk74lfsRVeeY0i03O25SkMF6eUBiAfpWscr4o4HOCbau49mSKNoA1Kl5tK WYD90Xsai6Hwtx8e0ggD+UAqEpIFSEnqthxoJbhirQRpmsofLxPiozXYNNfzH5nJ oJQ72r1ey9EbWTourt+RXY4W9OGdgx8= Received: from [192.168.1.62] (unknown [159.63.145.2]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: tanstaafl@libertytrek.org) by homiemail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 31DB9480A5 for ; Wed, 16 Apr 2014 10:57:42 -0700 (PDT) Message-ID: <534EC469.1090406@libertytrek.org> Date: Wed, 16 Apr 2014 13:56:57 -0400 From: Tanstaafl User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones References: <534E60E8.6050502@libertytrek.org> <1B52707A-ABAE-4FEF-98F2-BF64D48F7EB3@iki.fi> In-Reply-To: <1B52707A-ABAE-4FEF-98F2-BF64D48F7EB3@iki.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 2a971053-49cd-4492-836e-b7ffff7c84dc X-Archives-Hash: ee078ee48b1bc5b1e635640a41679d50 On 4/16/2014 7:14 AM, Matti Nykyri wrote: > On Apr 16, 2014, at 13:52, Tanstaafl wrote: >> Or will simply replacing my self-signed certs with the new real ones be good enough? > No it will not. Keys are te ones that have been compromised. You need > to create new keys. With those keys you need to create certificate > request. Then you send that request to certificate authority for > signing and publishing in their crl. When you receive the signed > certificate you can start using it with your key. Never send your key > to CA or expect to get a key from them. Ok, thanks... But... if I do this (create a new key-pair and CR), will this immediately invalidate my old ones (ie, will my current production server stop working until I get the new certs installed)? I'm guessing not (or else there would be a lot of downtime for lots of sites involved) - but I've only ever done this once (created the key-pair, CR and self-signed keys) a long time ago, so want to make sure I don't shoot myself in the foot... I have created new self-=signed certs a couple of times since creating the original key-pair+CR, but never created a new key-pair/CR... > There are also other algorithms the RSA. And also if you wan't to get > PFS you will need to consider your setup, certificate and security > model. What is PFS?