Mike Jackson wrote: > Susan wrote: > >> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > > > Handing out CA certs to clients is simply a matter of copying the file > to the client, and maybe entering it into the certificate database e.g. > like the Netscape Communicator or FDS certdb. > >> Is there a reliable free alternative? > > > OpenSSL is a free tool with all of the capabilities which are required > to run a CA. I use it for all of my CA operations. > > >> The problem I'm trying to solve is that my CA cert is self-signed. > > > That is not a problem, it's a fact. Contrary to popular belief, > self-signed CA certs are not bad when used company internal. In fact, > there are many benefits compared to having all of your certs issued from > a commercial CA. Commercial server certs are for when you run public > internet services and don't want your customers to see certificate > questions. Why would they see certificate questions? Because their > applications don't come bundled with your root CA cert... It really depends on where you are deploying SSL. If you are deploying certificates for web servers it is a real a problem. The trouble is that unless there is a central authority, dozens of internal sites will each have their own CA, training users to blindly accept every unknown web server as ok. So when these same users encounter the situation outside of the intranet, well, you get the picture. It opens up users to man-in-the-middle attacks. > When you control the network, you can deploy applications with your root > CA cert already inserted, or you can simply deploy it to workstations > with Tivoli or cfengine, etc. Your internal customers still don't see > certificate questions. > > >> I guess even if it weren't, the management is a little concerned about > > > MITM attacks against the FDS, so we need a way to verify that the server > > saying that it's our FDS really is the FDS. > > No problem. Just issue the FDS server certs from your own CA, e.g. > OpenSSL. Import your own root CA cert into FDS as well. Import your own > root CA cert to your clients, e.g. linux, solaris. The clients will > verify the FDS cert against their copy of the root CA cert. > > > Finally, as soon as I get time, I will update the SSL Howto. I already > have all of the scripts and methods for fully automated setup up FDS > with a third-party CA, namely OpenSSL. Lack of time is the only reason > why I haven't yet written it up on the wiki. > Note that OpenSSL could introduce exactly the same problems that users have encountered trying to use NSS as a poor-man's CA, namely issuing multiple CA certificates for each server in the MMR. The solution here isn't the SSL library, it is the method in which it is used. NSS can easily handle these too and you can operate more directly on the certificate databases with it. PKI is definitely not for the weak of heart but the illusion of security is worse than no security at all. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060329/b22e8b3a/attachment.bin
