[ATTENTION] Engine now uses PKCS#12 format to store private keys
Alon Bar-Lev
alonbl at redhat.com
Sun Sep 30 08:27:00 UTC 2012
Hello All,
We committed a change in the method engine uses to store private keys.
So far the engine used Java proprietary JKS format, this format enabled only Java applications to access the keys, and made it hard to manipulate them using external programs.
>From now the engine is using the standard PKCS#12 format to store keys and associated certificate chain.
PKCS#12 format is standard and supported by many applications, and it allowed simpler enrollment procedure.
We also issue different certificate and key to be used as engine authentication (SSH, VDSM), and to be used for engine web interface (HTTPS). This change has two reasons:
1. Allow simpler migration to 3rd party certificate for the web interface.
2. Separate between different private key usages (signature and key exchange).
engine-upgrade script has been modified to upgrade the environment to the new state.
Please CC me for every issue you may experience.
Regards,
Alon.
More information about the Arch
mailing list