Re: SSL/TLS and certificate generation/handling in debian-edu (bug 571)
* Herman Robak (herman@skolelinux.no) [040825 22:37]:
> In the next developer gathering in Oslo, I will focus on finding
> good solutions to sertificate generation and handling in Debian-edu
> installations.
>
> Problems: Automatic generation of local certificates, and distributing
> the "root" certificate to the clients automatically during
> installation.
>
> Pregenerated certificates are a big no-no. The private key has to
> be unique, with restricted access, on each installation.
>
> Manual signing is too cumbersome. Getting the server certificate
> signed by Thawte or Verisign is expensive. It is also overkill,
> unless the SSL server is to be accessible over the Internet.
>
> I would like to discuss secure, yet convenient ways to automate
> the process of generating a "local CA", and distributing the
> "root" certificate of that local CA to the clients.
roland and i discussed this here during the week and found a
workable secure solution for a save and strongly encrypted
connected solution to other hosts with help of the kerberos5
protocol. basicly we would open an encrypted kerberos pipe over
the net to pull what ever private data we want. code for this
exists.
the remaining problem is the selection of the CA and nice and
proper organisation of the cn, SubAltName etc. sadly there is no
good CA in debian that i know of.
Reply to: