[Fedora-directory-users] FDS & Red Hat Certificate System

Wed Mar 29 22:02:33 UTC 2006

Mike Jackson wrote:
> Susan wrote:
> 
>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  
> 
> 
> Handing out CA certs to clients is simply a matter of copying the file 
> to the client, and maybe entering it into the certificate database e.g. 
> like the Netscape Communicator or FDS certdb.
> 
>> Is there a reliable free alternative?
> 
> 
> OpenSSL is a free tool with all of the capabilities which are required 
> to run a CA. I use it for all of my CA operations.
> 
> 
>> The problem I'm trying to solve is that my CA cert is self-signed.
> 
> 
> That is not a problem, it's a fact. Contrary to popular belief, 
> self-signed CA certs are not bad when used company internal. In fact, 
> there are many benefits compared to having all of your certs issued from 
> a commercial CA. Commercial server certs are for when you run public 
> internet services and don't want your customers to see certificate 
> questions. Why would they see certificate questions? Because their 
> applications don't come bundled with your root CA cert...

It really depends on where you are deploying SSL. If you are deploying 
certificates for web servers it is a real a problem. The trouble is that 
unless there is a central authority, dozens of internal sites will each 
have their own CA, training users to blindly accept every unknown web 
server as ok. So when these same users encounter the situation outside 
of the intranet, well, you get the picture. It opens up users to 
man-in-the-middle attacks.

> When you control the network, you can deploy applications with your root 
> CA cert already inserted, or you can simply deploy it to workstations 
> with Tivoli or cfengine, etc. Your internal customers still don't see 
> certificate questions.
> 
> 
>> I guess even if it weren't, the management is a little concerned about
> 
>  > MITM attacks against the FDS, so we need a way to verify that the server
>  > saying that it's our FDS really is the FDS.
> 
> No problem. Just issue the FDS server certs from your own CA, e.g. 
> OpenSSL. Import your own root CA cert into FDS as well. Import your own 
> root CA cert to your clients, e.g. linux, solaris. The clients will 
> verify the FDS cert against their copy of the root CA cert.
> 
> 
> Finally, as soon as I get time, I will update the SSL Howto. I already 
> have all of the scripts and methods for fully automated setup up FDS 
> with a third-party CA, namely OpenSSL. Lack of time is the only reason 
> why I haven't yet written it up on the wiki.
> 

Note that OpenSSL could introduce exactly the same problems that users 
have encountered trying to use NSS as a poor-man's CA, namely issuing 
multiple CA certificates for each server in the MMR. The solution here 
isn't the SSL library, it is the method in which it is used. NSS can 
easily handle these too and you can operate more directly on the 
certificate databases with it.

PKI is definitely not for the weak of heart but the illusion of security 
is worse than no security at all.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060329/b22e8b3a/attachment.bin>