1 |
On 4/16/2014 7:14 AM, Matti Nykyri <matti.nykyri@×××.fi> wrote: |
2 |
> On Apr 16, 2014, at 13:52, Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
>> Or will simply replacing my self-signed certs with the new real ones be good enough? |
4 |
|
5 |
> No it will not. Keys are te ones that have been compromised. You need |
6 |
> to create new keys. With those keys you need to create certificate |
7 |
> request. Then you send that request to certificate authority for |
8 |
> signing and publishing in their crl. When you receive the signed |
9 |
> certificate you can start using it with your key. Never send your key |
10 |
> to CA or expect to get a key from them. |
11 |
|
12 |
Ok, thanks... |
13 |
|
14 |
But... if I do this (create a new key-pair and CR), will this |
15 |
immediately invalidate my old ones (ie, will my current production |
16 |
server stop working until I get the new certs installed)? |
17 |
|
18 |
I'm guessing not (or else there would be a lot of downtime for lots of |
19 |
sites involved) - but I've only ever done this once (created the |
20 |
key-pair, CR and self-signed keys) a long time ago, so want to make sure |
21 |
I don't shoot myself in the foot... |
22 |
|
23 |
I have created new self-=signed certs a couple of times since creating |
24 |
the original key-pair+CR, but never created a new key-pair/CR... |
25 |
|
26 |
> There are also other algorithms the RSA. And also if you wan't to get |
27 |
> PFS you will need to consider your setup, certificate and security |
28 |
> model. |
29 |
|
30 |
What is PFS? |