Copyright © 2003 – 2008 Michal Čihař
After recent not so funny thing with OpenSSL in Debian, I realized that I will have to regenerate most of keys and certificates, because last big changes I did in networking/vpn/ssh setup which involved generating keys are not older than broken OpenSSL appeared in archives.
First obvious thing was SSH keys and cleanup of
~/.ssh/authorized_keys on all hosts. While doing that,
I realized that I still have there several keys, which are more or
less gone (not that I'd lost them, but I simply stopped to use
them). So it was good opportunity to do cleanup here. While I was
at these changes, cleaning up ~/.ssh/known_hosts was
also good idea, because I still had there lot of hosts I collected
during some of my previous jobs and I definitely won't (and can
not) access these machines anymore. So good, big cleanup in SSH
configuration was forced :-).
Next and harder step was to found out where else I use certificates generated by vulnerable OpenSSL. Server certificates for sure were also generated by OpenSSL, so let's regenerate web and email certificates and hope I did not miss anything.
All this happened yesterday, but today I realized that I missed other even more important thing - OpenVPN certificates. While regenerating certificates, I also found some machine keys which are not really used anymore, so I again could drop some of them. So that was task for this evening and now I'm hopefully really done with this issue and I really hope that this won't happen again in near future, I don't need to cleanup that often ;-).