On Wed, Apr 9, 2014 at 8:00 AM, Joey Kelly <joey@joeykelly.net> wrote:
> On 04/09/2014 04:27 AM, Ron Johnson wrote:
> > Do CA certificates need to be recreated?
>
It is impossible without having violated basic Crypto 101 key hygene rules.
So no current public CA that claims to be following the security
standards, could have a CA certificate compromised, unless they were
quite negligent.
Should never issue certificates that have a Policy definition/Extended key
usage allowing the certificate to be used for both Key agreement/Data
encipherment AND for Certificate signing (or CRL Signing).
CA signing keys should never be loaded onto a webserver.
Always sign a separate certificate that has a different key from the
certificate signing key.
>
>
> If you created them with a vulnerable OpenSSL version, then yes. I've
> got one to redo myself.
>
>
> --
> Joey Kelly
> Minister of the Gospel and Linux Consultant
> http://joeykelly.net
> 504-239-6550
> ___________________
> Nolug mailing list
> nolug@nolug.org
>
-- -Mysid ___________________ Nolug mailing list nolug@nolug.orgReceived on 04/09/14
This archive was generated by hypermail 2.2.0 : 04/09/14 EDT