> > ...the management is a little concerned about MITM attacks against the FDS, so we need a way to > verify that the server saying that it's our FDS really is the FDS. Right now no certs are > deployed on the clients, we're using them only for SSL traffic encryption. If I'm interpreting your question right, I think you're already covered for this as long as: - Your client apps do server cert verification. - Your internal CA isn't compromised. - Your cert/key DB files on your FDS servers haven't been compromised. You shouldn't need to sign a new certificate for every client, you just need a copy of the CA certificate on each client. Susan wrote: > Hi, everyone. I think this subject has been briefly raised before but I've more questions. > > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > Has anybody done this? > RHCS doesn't seem to be opensourced. Is there a reliable free alternative? > > The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't, > the management is a little concerned about MITM attacks against the FDS, so we need a way to > verify that the server saying that it's our FDS really is the FDS. Right now no certs are > deployed on the clients, we're using them only for SSL traffic encryption. > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > certs for various clients. I also need a way to implement CRL somehow, in case a box is > comprosmised. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
