On Friday, December 7, 2012 7:28:27 PM UTC-6, Ellison Marks
wrote:>
> I just recently spun up a new host using an old hostname, and when
> managing the certificates, I noticed that the newly generated cert was
> listed as sha256, while all of my earlier certs were listed as sha1. I
> guess this is a new default or something, and I like better security, so
> I''d like all of my hosts to use sha256. Is there any shortcut to
> regenerating all the certs, or do I have to clean them off of each host and
> the master, then regenerate them one by one?
>
You would need to clean them all off and generate new ones. Really,
though, I think there is very little advantage to doing so. It is true
that SHA-256 is a stronger hash than SHA-1, but that doesn''t mean
cryptographic certificates using SHA-1 are unacceptably weak.
If that''s an issue that you need to settle reliably, however, then you
should consult a security professional who is familiar with your
infrastructure and requirements.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/fzbXx7_FxR4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.