On the meaning of the word "renewal".
According to RFC3647 renewal is defined as follows:
"Certificate renewal means the issuance of a
new certificate to the subscriber without changing the subscriber or
other participant's public key or any other information in the
Certificate."
I should add that renewal does change the valid to/from dates and the
serial number.
When the UK vert wizard says "renew" its should really say "rekey".
RFC3647 defines rekey as
"This subcomponent is used to describe the following elements related
to a subscriber or other participant generating a new key pair and
applying for the issuance of a new certificate that certifies the new
public key"
For this current OpenSSL issue, it is of course very important that the
key-pair is regenerated as it is the private key that might have been
exposed.
Cheers
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
On 09/04/2014 10:57, "Stephen Jones" <[log in to unmask]> wrote:
>John(K), all,
>
>Here's my catchup email....
>
>---------------------------------------------------------------
>First problem - Do we need New certificates?
>
>Answer: I've contacted Leif Nixon directly, and this is (part of) his
>response:
>
> > For all hosts that were vulnerable, you should get a completely
> > new certificate; i.e. generate a new private and public key pair
> > and get a certificate based on that. (The precise procedure for
> > this depends on your particular CA, of course.)
>
>So if we "renew" a certificate, does the "renewed" a certificate
>have different keys to the original one? If "renewal" does result in
>new keys, then it is perfectly OK to simply renew the certificate in
>the normal manner, as we do each year.
>
>If "renewal" does not result in new keys, then it is not the right
>procedure. In which case, we all have to go the full loop and get
>completely new certificates (generating new key pairs).
>
>---------------------------------------------------------------
>Second problem - Assuming we need to, how do we get
>New certificates without breaking systems.
>
>Answer: Up in the air at the moment. The choices I can see are:
>
>A) Use workaround (get a friendly RA Op from another RA to request
> the revocation for me, and persuade my RA Op's approval to delay
> the process).
>
> Pros: ready now (but needs testing?)
> Cons: Fragile process. Multiple unknown RA Ops (local and remote) who
> need to be identified, informed and synchronised.
>
>B) Find a slicker procedure to get it done without multiple RA Ops
>
> Pros: Reduces screw-ups
> Cons: not ready now
>
>C) Use existing procedure: https://www.gridpp.ac.uk/wiki/Grid_Certificate
> This works around the block on hosts with multiple, simultaneous
>certificates
> by using a new host DN.
>
> Pros: It's ready now (but needs testing)
> Cons: DN needs to change, with multiple external impacts.
>
>---------------------------------------------------------------
>
>So there it is. Food for thought. eh?
>
>Steve
>
>
>
>
>
>
>
>On 04/08/2014 05:50 PM, John Kewley wrote:
>> For those of you want to request a New host cert rather than do a
>>Renewal.
>>
>> You can temporarily suspend your certificate by requesting its
>>revocation.
>> The problem with this is that if that request is signed then your
>>certificate goes "bang".
>> The alternative is to get a friendly RA Op from another RA to request
>>the revocation for you.
>> This means that it will await your RA Op's approval (which you persuade
>>them not to give ... just yet).
>> You can now apply for a new one
>>
>> cheers
>>
>> JK
>>
>>> -----Original Message-----
>>> From: Stephen Jones [mailto:[log in to unmask]]
>>> Sent: Tuesday, April 08, 2014 5:08 PM
>>> To: [log in to unmask]
>>> Subject: I'll test this out:
>>>https://www.gridpp.ac.uk/wiki/Grid_Certificate
>>>
>>> Hi all,
>>>
>>> I wrote some of this a while back. Now I have to renew all the certs
>>>due to
>>> the OPENSSL bug, I guess I should test it still works:
>>>
>>> I think it's the same process as "Converting host certificates to omit
>>>the
>>> email addresses from DNs".
>>>
>>> https://www.gridpp.ac.uk/wiki/Grid_Certificate
>>>
>>> Job for tomorrow...
>>>
>>>
>>> Steve
>>>
>>> --
>>> Steve Jones [log in to unmask]
>>> System Administrator office: 220
>>> High Energy Physics Division tel (int): 42334
>>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
>>> University of Liverpool
>>>http://www.liv.ac.uk/physics/hep/
>
>
>--
>Steve Jones [log in to unmask]
>System Administrator office: 220
>High Energy Physics Division tel (int): 42334
>Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
>University of Liverpool http://www.liv.ac.uk/physics/hep/
--
Scanned by iCritical.
|