Page MenuHomeMiraheze

Convert the private miraheze.org key from rsa to pkcs8
Open, LowPublic

Description

Not sure if this should be a security task so filing it as one just incase.

The miraheze.org private key is in RSA format. Opensearch doesn't support that type (supports either pkcs8 or X.509). Our LE private keys don't use the RSA format. I'm not sure why we do. But neitherless we should convert it.

I've got a converted copy on test131 for opensearch (its in pkcs8 I think).

Event Timeline

To convert I did:

openssl pkcs8 -topk8 -in <old_key> -out <new_key> -nocrypt

Paladox and I discussed this a bit earlier, but here's the short of it:

pkcs8 is a type of file format for storing keys. Our private key is currently stored in pkcs1 format. There is no security concern in using one format over the other as long as the file itself is properly protected. In theory, we should be able to convert to pkcs8 without any impact to services currently using the key. In practice, it's unclear, but I don't see any services we use being unable to support pkcs8.

For now, I think the best move is to support the new key format for the new opensearch service, and slowly switch over the old format to the new one for other services. We don't want to be managing two separate private key files for the same private key for an extended duration of time, but it also is probably not the best idea to swap everything over to the new format without making sure it works.

This task can be unprotected, as it is not a security issue.

John lowered the priority of this task from High to Low.Feb 24 2023, 21:43
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
John changed the edit policy from "Custom Policy" to "All Users".
John removed a project: Security.
Unknown Object (User) unsubscribed.Mar 18 2023, 03:39