[Fedora-directory-users] FDS & Red Hat Certificate System

Wed Mar 29 21:43:58 UTC 2006

Susan wrote:

> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  

Handing out CA certs to clients is simply a matter of copying the file 
to the client, and maybe entering it into the certificate database e.g. 
like the Netscape Communicator or FDS certdb.

> Is there a reliable free alternative?

OpenSSL is a free tool with all of the capabilities which are required 
to run a CA. I use it for all of my CA operations.

> The problem I'm trying to solve is that my CA cert is self-signed.

That is not a problem, it's a fact. Contrary to popular belief, 
self-signed CA certs are not bad when used company internal. In fact, 
there are many benefits compared to having all of your certs issued from 
a commercial CA. Commercial server certs are for when you run public 
internet services and don't want your customers to see certificate 
questions. Why would they see certificate questions? Because their 
applications don't come bundled with your root CA cert...

When you control the network, you can deploy applications with your root 
CA cert already inserted, or you can simply deploy it to workstations 
with Tivoli or cfengine, etc. Your internal customers still don't see 
certificate questions.

> I guess even if it weren't, the management is a little concerned about
 > MITM attacks against the FDS, so we need a way to verify that the server
 > saying that it's our FDS really is the FDS.

No problem. Just issue the FDS server certs from your own CA, e.g. 
OpenSSL. Import your own root CA cert into FDS as well. Import your own 
root CA cert to your clients, e.g. linux, solaris. The clients will 
verify the FDS cert against their copy of the root CA cert.

> Right now no certs are deployed on the clients, we're using them only
 > for SSL traffic encryption.
> 
> What's the best way to go about doing this?  I don't want to manually create/deploy dozens of
> certs for various clients.  I also need a way to implement CRL somehow, in case a box is
> comprosmised.

Your clients don't need certificates, they only need a copy of your root 
CA cert - the same file for every client. You do not generally need to 
use "client authentication"; you really have to know what you are doing 
with PKI to know why you would want to use it. Clients generally do not 
need their own certs unless they are people and are doing S/MIME email.

It appears that you have fundamental misunderstandings of what a PKI is 
and does, and I suggest that you study the subject instead of using the 
learn-as-you-go ad-hoc network architecture method.

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm

http://www.opengroup.org/messaging/G260/pki_tutorial.htm

Finally, as soon as I get time, I will update the SSL Howto. I already 
have all of the scripts and methods for fully automated setup up FDS 
with a third-party CA, namely OpenSSL. Lack of time is the only reason 
why I haven't yet written it up on the wiki.

BR,
--
mike