On Friday, December 7, 2012 7:28:27 PM UTC-6, Ellison Marks wrote: > > I just recently spun up a new host using an old hostname, and when > managing the certificates, I noticed that the newly generated cert was > listed as sha256, while all of my earlier certs were listed as sha1. I > guess this is a new default or something, and I like better security, so > I'd like all of my hosts to use sha256. Is there any shortcut to > regenerating all the certs, or do I have to clean them off of each host and > the master, then regenerate them one by one? >
You would need to clean them all off and generate new ones. Really, though, I think there is very little advantage to doing so. It is true that SHA-256 is a stronger hash than SHA-1, but that doesn't mean cryptographic certificates using SHA-1 are unacceptably weak. If that's an issue that you need to settle reliably, however, then you should consult a security professional who is familiar with your infrastructure and requirements. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/fzbXx7_FxR4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
