[Fedora-directory-users] FDS & Red Hat Certificate System
George Holbert
gholbert at broadcom.com
Wed Mar 29 21:27:53 UTC 2006
>
> ...the management is a little concerned about MITM attacks against the FDS, so we need a way to
> verify that the server saying that it's our FDS really is the FDS. Right now no certs are
> deployed on the clients, we're using them only for SSL traffic encryption.
If I'm interpreting your question right, I think you're already covered
for this as long as:
- Your client apps do server cert verification.
- Your internal CA isn't compromised.
- Your cert/key DB files on your FDS servers haven't been compromised.
You shouldn't need to sign a new certificate for every client, you just
need a copy of the CA certificate on each client.
Susan wrote:
> Hi, everyone. I think this subject has been briefly raised before but I've more questions.
>
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
> Has anybody done this?
> RHCS doesn't seem to be opensourced. Is there a reliable free alternative?
>
> The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't,
> the management is a little concerned about MITM attacks against the FDS, so we need a way to
> verify that the server saying that it's our FDS really is the FDS. Right now no certs are
> deployed on the clients, we're using them only for SSL traffic encryption.
>
> What's the best way to go about doing this? I don't want to manually create/deploy dozens of
> certs for various clients. I also need a way to implement CRL somehow, in case a box is
> comprosmised.
>
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list