HELP! database lost
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
HELP! database lost
by John A. Sullivan III
::
Rate this Message:
Hello, all. I think we are just plain out of luck here but I'll ask
anyway. One of our vendors messed up and the result is a catastrophic loss of our PKI database without backup. It just so happens that we have the certs and keys (including the CA key) backed up but not the database itself. We would very much like to not have to reissue all certs and replace all instances of the CA cert (most are server certs - only a handful of users). We could build out new CA on the old CA key and not have to replace all the certs but, I would imagine we would be unable to revoke the certs if there was a compromise since they are not in the database. Is there any way to rebuild the database with the existing certs and keys or are we stuck rebuilding from scratch (beating head against wall repeatedly to ease the pain). Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@... http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: HELP! database lost
by blainedw
::
Rate this Message:
Oh man! I feel your pain. I had a similar catastrophe when I lost the serial number index file (with no backups) a couple of years ago... Fortunately I was able to rebuild without losing anything. It would seem possible to import the data back into the database. Perhaps by manually building a tar file of the certs and then performing a data exchange? Good luck, Dave This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: HELP! database lost
by John A. Sullivan III
::
Rate this Message:
On Tue, 2009-08-11 at 10:20 -0400, blainedw@... wrote:
> > Oh man! I feel your pain. I had a similar catastrophe when I lost the > serial number index file (with no backups) a couple of years ago... > Fortunately I was able to rebuild without losing anything. It would > seem possible to import the data back into the database. Perhaps by > manually building a tar file of the certs and then performing a data > exchange? <snip> That's an interesting idea. What would go into the tar file? Simply the PKCS#12 files (we do mostly server side key generation). I suppose the serial numbers are embedded. If it's just certs, I suppose we could extract the certs and tar those. We don't reuse keys anyway. Any pointers? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@... http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: HELP! database lost
by blainedw
::
Rate this Message:
Hi John, I was hoping you wouldn't ask ;) Actually I'm hoping someone else chimes in (perhaps Max) to see if my suggestion will get you out of your jam or put you further into trouble. But just like the data exchange, the tar file has to be structured correctly with directories for PENDING, APPROVED, etc. with the certificates placed into the proper folders. But I think the data exchange would require PEM or CER files not PKCS12's. You should have those CER or PEM's though under the var/crypto subdirectory. Dave This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: HELP! database lost
by John A. Sullivan III
::
Rate this Message:
On Tue, 2009-08-11 at 13:28 -0400, blainedw@... wrote:
> > Hi John, > > I was hoping you wouldn't ask ;) > > Actually I'm hoping someone else chimes in (perhaps Max) to see if my > suggestion will get you out of your jam or put you further into > trouble. > > But just like the data exchange, the tar file has to be structured > correctly with directories for PENDING, APPROVED, etc. with the > certificates placed into the proper folders. But I think the data > exchange would require PEM or CER files not PKCS12's. You should have > those CER or PEM's though under the var/crypto subdirectory. Thank you, thank you, thank you - IT WORKED!!!! Since we are using a shared database scenario for all nodes, losing the database meant losing everything. I created an empty data exchange archive and expanded it to find the file structure. I then added in the certs, CA cert, and crl from the file system, tar'd it, put it in the data exchange directory for the public node, and downloaded data from higher in the hierarchy. All the certs AND keys are there. It's a beautiful thing amidst the darkness. Thanks again - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@... http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
|
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
