Susan wrote: > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? Handing out CA certs to clients is simply a matter of copying the file to the client, and maybe entering it into the certificate database e.g. like the Netscape Communicator or FDS certdb. > Is there a reliable free alternative? OpenSSL is a free tool with all of the capabilities which are required to run a CA. I use it for all of my CA operations. > The problem I'm trying to solve is that my CA cert is self-signed. That is not a problem, it's a fact. Contrary to popular belief, self-signed CA certs are not bad when used company internal. In fact, there are many benefits compared to having all of your certs issued from a commercial CA. Commercial server certs are for when you run public internet services and don't want your customers to see certificate questions. Why would they see certificate questions? Because their applications don't come bundled with your root CA cert... When you control the network, you can deploy applications with your root CA cert already inserted, or you can simply deploy it to workstations with Tivoli or cfengine, etc. Your internal customers still don't see certificate questions. > I guess even if it weren't, the management is a little concerned about > MITM attacks against the FDS, so we need a way to verify that the server > saying that it's our FDS really is the FDS. No problem. Just issue the FDS server certs from your own CA, e.g. OpenSSL. Import your own root CA cert into FDS as well. Import your own root CA cert to your clients, e.g. linux, solaris. The clients will verify the FDS cert against their copy of the root CA cert. > Right now no certs are deployed on the clients, we're using them only > for SSL traffic encryption. > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > certs for various clients. I also need a way to implement CRL somehow, in case a box is > comprosmised. Your clients don't need certificates, they only need a copy of your root CA cert - the same file for every client. You do not generally need to use "client authentication"; you really have to know what you are doing with PKI to know why you would want to use it. Clients generally do not need their own certs unless they are people and are doing S/MIME email. It appears that you have fundamental misunderstandings of what a PKI is and does, and I suggest that you study the subject instead of using the learn-as-you-go ad-hoc network architecture method. http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm http://www.opengroup.org/messaging/G260/pki_tutorial.htm Finally, as soon as I get time, I will update the SSL Howto. I already have all of the scripts and methods for fully automated setup up FDS with a third-party CA, namely OpenSSL. Lack of time is the only reason why I haven't yet written it up on the wiki. BR, -- mike