Susan wrote:
Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
Handing out CA certs to clients is simply a matter of copying the file
to the client, and maybe entering it into the certificate database e.g.
like the Netscape Communicator or FDS certdb.
Is there a reliable free alternative?
OpenSSL is a free tool with all of the capabilities which are required
to run a CA. I use it for all of my CA operations.
The problem I'm trying to solve is that my CA cert is self-signed.
That is not a problem, it's a fact. Contrary to popular belief,
self-signed CA certs are not bad when used company internal. In fact,
there are many benefits compared to having all of your certs issued from
a commercial CA. Commercial server certs are for when you run public
internet services and don't want your customers to see certificate
questions. Why would they see certificate questions? Because their
applications don't come bundled with your root CA cert...
When you control the network, you can deploy applications with your root
CA cert already inserted, or you can simply deploy it to workstations
with Tivoli or cfengine, etc. Your internal customers still don't see
certificate questions.
I guess even if it weren't, the management is a little concerned about
> MITM attacks against the FDS, so we need a way to verify that the server
> saying that it's our FDS really is the FDS.
No problem. Just issue the FDS server certs from your own CA, e.g.
OpenSSL. Import your own root CA cert into FDS as well. Import your own
root CA cert to your clients, e.g. linux, solaris. The clients will
verify the FDS cert against their copy of the root CA cert.
Right now no certs are deployed on the clients, we're using them only
> for SSL traffic encryption.
What's the best way to go about doing this? I don't want to manually create/deploy dozens of
certs for various clients. I also need a way to implement CRL somehow, in case a box is
comprosmised.
Your clients don't need certificates, they only need a copy of your root
CA cert - the same file for every client. You do not generally need to
use "client authentication"; you really have to know what you are doing
with PKI to know why you would want to use it. Clients generally do not
need their own certs unless they are people and are doing S/MIME email.
It appears that you have fundamental misunderstandings of what a PKI is
and does, and I suggest that you study the subject instead of using the
learn-as-you-go ad-hoc network architecture method.
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm
http://www.opengroup.org/messaging/G260/pki_tutorial.htm
Finally, as soon as I get time, I will update the SSL Howto. I already
have all of the scripts and methods for fully automated setup up FDS
with a third-party CA, namely OpenSSL. Lack of time is the only reason
why I haven't yet written it up on the wiki.
BR,
--
mike
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
