> From: Richard Megginson <rmeggins at redhat.com> Susan wrote: >> >oops, you're right, I didn't think that through. Of course. >> > >> >it just seems that managing CA certs on the clients would be a real pain. >> > >> > >> > Indeed it is, if you have to update thousands of clients with the CA > cert. But then, if you have such a large deployment, you will probably > find it beneficial to apply for a real CA cert from Verisign or some > such, and use a real CA. > That's why it's so important to generate a proper CA cert in the first place, and keep it safe. I see many people on mailing lists talking about how they generated a single self-signed cert and are using it as their actual server cert. No matter how much time we spend explaining why this is a stupid idea, they still do it. I'm not a big fan of paying real money for a random string of bits, and even Verisign has made screwups in the past. Basically as long as you keep the CA's private key safe, there shouldn't be any problem running with your own CA cert. > <shameless_plug_for_RHCS> > Red Hat Certificate System has support for web based cert issuance. It > supports CRL generation and has an OCSP responder. It can generate > certs and automatically publish them to an LDAP server (e.g. to generate > the userCertificate attribute for users). > </shameless_plug_for_RHCS> > Since we're on the topic, Symas has a CA module for OpenLDAP that generates certs on the fly for authenticated users. Naturally since it executes inside slapd, the cert is automatically stored in the user's LDAP entry. It's been part of our Connexitor EMS suite since 1999, works quite painlessly. > >> >Besides, is there any way within this whole FDS framework to revoke Certs? >> > >> > This issue is outside of Fedora DS. It's more of an issue with your PK > infrastructure and your CA. > > >> >If the ldap server is >> >compromised, how do I tell the clients not to trust it (or the CA or both) anymore??? >> > >> If the CA is compromised, all bets are off. Life can get ugly when the CA cert expires too... >> > >> > Revoke the cert on the CA, and have the CA generate a CRL. Then, push > out this CRL to all of your clients. I'm not sure how to do this with > openssl, but NSS provides a command line tool called crlutil that can be > used to install a CRL into your cert database. > Mozilla/Firefox/Thunderbird can do this automatically. > Newer OpenSSL (Certainly 0.9.8, but possibly also 0.9.7) versions can do CRL checking automatically, but you still must configure a source of CRLs to check. It's a bit more tedious in 0.9.6 and older. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
