Open ypid opened 7 years ago
I see an issue with this - at the moment the hosts themselves execute the pki-realm
script periodically to perform operations like renewal of ACME certificates. The script detects if the currently used certificate is valid, and if not it switches to the "next best" certificate in order: external, acme, internal, selfsigned. If we add an option to regenerate the private keys, the internal certificates will be broken since the internal CA located on the Ansble Controller would not have signed the certificate, resulting in the key/cert mismatch. I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all. Although that shouldn't be an issue in this case.
I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all.
Right. I would not really depend on that.
Maybe older private keys could be saved in the CA directory which still has a valid cert using this key.
For the common deployments using DebOps, e. g. VPSes or so using LE, key regeneration should be the default. I suspect that internal CAs or external CAs are used very infrequently for such deployments. For such cases we could recommend in the docs to disable pki_internal
which could then switch on key regeneration for each cert if no external certs are provided (or maybe even then as suggested above).
Currently, the realm key used for all certificates of this realm (internal, external, ACME) is created on realm creation. In the case of ACME and LE, the certificate is renewed at least all 3 months. Other certs are rotated less frequently. It should be possible to specify the wanted private key renewal period which can happen at cert renewal.
Ref: https://letsencrypt.org/2015/11/09/why-90-days.html