| 1 |
On 4/16/2014 7:14 AM, Matti Nykyri <matti.nykyri@×××.fi> wrote: |
| 2 |
> On Apr 16, 2014, at 13:52, Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
>> Or will simply replacing my self-signed certs with the new real ones be good enough? |
| 4 |
|
| 5 |
> No it will not. Keys are te ones that have been compromised. You need |
| 6 |
> to create new keys. With those keys you need to create certificate |
| 7 |
> request. Then you send that request to certificate authority for |
| 8 |
> signing and publishing in their crl. When you receive the signed |
| 9 |
> certificate you can start using it with your key. Never send your key |
| 10 |
> to CA or expect to get a key from them. |
| 11 |
|
| 12 |
Ok, thanks... |
| 13 |
|
| 14 |
But... if I do this (create a new key-pair and CR), will this |
| 15 |
immediately invalidate my old ones (ie, will my current production |
| 16 |
server stop working until I get the new certs installed)? |
| 17 |
|
| 18 |
I'm guessing not (or else there would be a lot of downtime for lots of |
| 19 |
sites involved) - but I've only ever done this once (created the |
| 20 |
key-pair, CR and self-signed keys) a long time ago, so want to make sure |
| 21 |
I don't shoot myself in the foot... |
| 22 |
|
| 23 |
I have created new self-=signed certs a couple of times since creating |
| 24 |
the original key-pair+CR, but never created a new key-pair/CR... |
| 25 |
|
| 26 |
> There are also other algorithms the RSA. And also if you wan't to get |
| 27 |
> PFS you will need to consider your setup, certificate and security |
| 28 |
> model. |
| 29 |
|
| 30 |
What is PFS? |
Archives