[Fedora-directory-users] FDS & Red Hat Certificate System

[George Holbert]

>
> ...the management is a little concerned about MITM attacks against the FDS, so we need a way to
> verify that the server saying that it's our FDS really is the FDS.  Right now no certs are
> deployed on the clients, we're using them only for SSL traffic encryption.

If I'm interpreting your question right, I think you're already covered 
for this as long as:
- Your client apps do server cert verification.
- Your internal CA isn't compromised.
- Your cert/key DB files on your FDS servers haven't been compromised.

You shouldn't need to sign a new certificate for every client, you just 
need a copy of the CA certificate on each client.




Susan wrote:
> Hi, everyone.  I think this subject has been briefly raised before but I've more questions.
>
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  
> Has anybody done this?
> RHCS doesn't seem to be opensourced.  Is there a reliable free alternative?
>
> The problem I'm trying to solve is that my CA cert is self-signed.  I guess even if it weren't,
> the management is a little concerned about MITM attacks against the FDS, so we need a way to
> verify that the server saying that it's our FDS really is the FDS.  Right now no certs are
> deployed on the clients, we're using them only for SSL traffic encryption. 
>
> What's the best way to go about doing this?  I don't want to manually create/deploy dozens of
> certs for various clients.  I also need a way to implement CRL somehow, in case a box is
> comprosmised.
>
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>