chef - [chef] Re: Re: Update on Heartbleed and Chef Keys

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Update on Heartbleed and Chef Keys

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Re: Update on Heartbleed and Chef Keys
Date: Thu, 10 Apr 2014 18:35:01 -0700

On Thursday, April 10, 2014 at 6:30 PM, Nick Silkey wrote:

> Stephen --
>
> Thanks for being forthcoming in this. If customers are to consider
> _all_ private keys compromised, should they undertake the following:
>
> -remove client-side private keys
> -upgrade chef-client packages
> -nuke client objects on chef-server
> -rotate validator key on chef-server
> -use new validator key to re-bootstrap upgraded clients to chef-server
> -rotate additional user keys
>
> This is in addition to chef-server upgrades + nginx ssl certs regeneration.

The cookbook we provided updates the private (and therefore also the public)
keys of any client that runs it. If you configure `local_key_generation true`
the keys will be created on the client side and the private key won’t go over
the network. Then you don’t need to delete the client objects on the server.

--
Daniel DeLeo

[chef] Update on Heartbleed and Chef Keys, Stephen Delano, 04/10/2014
- [chef] Re: Update on Heartbleed and Chef Keys, Nick Silkey, 04/10/2014
  - [chef] Re: Re: Update on Heartbleed and Chef Keys, Daniel DeLeo, 04/10/2014