upgrading to 1.8.x / buster
Jesse Norell
jesse at kci.net
Wed Aug 14 22:47:44 CEST 2019
Hello,
Short version: when upgrading old clients to new gnutls, is there a
way to generate just the TLS keypair used to identify a client?
I'm starting to update our older mandos systems to the buster with
the latest gnutls, requiring a tls key pair for idenitification. I
added the stretch-backports repo from recompile.se and updated mandos-
client:
mandos-client 1.8.7-1~bpo9+1 amd64 do unattended reboots with an encrypted root file system
# mandos-keygen --version
/usr/sbin/mandos-keygen 1.8.7
Now I would add key_id to the server's clients.conf, but I believe I
have no TLS keypair created, as 'mandos-keygen -F/dev/null|grep
^key_id' returns empty.
So I presume I must create the key pair. A test run of mandos-keygen
indicates I must use --force to overwrite the old keys. I don't see
from the man page a way to create just the TLS keypair (maybe I'm
overlooking it). Can I generate both TLS and OpenPGP keys in a temp
directory, then copy the TLS keys to /etc/keys/mandos/ ? Or does the
TLS key pair have to "match" the OpenPGP keypair, so I'll just need to
wipe out all old keys, generate new ones, and replace the whole section
in clients.conf? (release notes indicate I should be able to add just
the key_id)
Thanks!
--
Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net
More information about the Mandos-Dev
mailing list