[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: certificate server

requirement:    certificate authority
package:        openssl
installation:   apt-get install openssl

Openssl has all the functionality you need to create and operate your own
Certificate Authority.

Openssl can generate a self-signed certificate for the CA itself.
Openssl can generate and sign server certificates - eg for your web, imap, pop
Openssl can generate and sign PFX and P7B certificates for email / browser client
Openssl can sign certificate requests created by MSIE 5.01+ and NS 4.75+
Openssl can revoke client certificates
Openssl will keep your CRL up-to-date

I operate our CA using openssl and in-house scripting, for secure web and mail
services with extensive use of client certificates in MSIE, Netscape, Outlook,
Outlook Express. (Though Outlook does not seem to support client certs yet
[anyone disagree?])

I manage about ~500 active users and ~20 servers. If you are looking to manage
10,000s of certificates you will probably have to develop your own scripts to
manage the CA, as the textbase must fit entirely in memory. With about 1000
certs, the textbase is only about 150K 8-)

If you understand how a CA works, then its easy peasy. If not, you will need to
understand how a CA works it before you dive in.

The documentation is poor, and last I looked, there were not many examples - it
seems to still have a whiff of the arcane.

I've often thought someone should create some MINI-HOWTOs covering the full cycle
from CA setup and operation through to client CSR, signing and installation etc.
It took me a lot of trial and effort to get it all hanging sweetly, esp for
example getting MSIE to create a CSR and then install the signed cert under the
various NT4, XPsp1 etc. I am sure that there is probably a 'Better Way'.

I would be happy to contribute, but we need a recognised / trusted person to act
as focus / coordinator. A second phase might be to refine the scripts to make
full CA operation a breeze, maybe even in conjunction with openssl.org? [openssl
config seems to have a lot of detris from early days left in it]



----- Original Message ----- 
From: "rico" <rico@home.ro>
To: <debian-security@lists.debian.org>
Sent: Tuesday, November 04, 2003 8:43 AM
Subject: certificate server


Do you know if exist a package that implements a certificate server (PKI) for
debian, and where I can find it?

Thank you very much!

Reply to: