On Tue, 2008-03-25 at 19:37 -0400, Ricky Zhou wrote:
On 2008-03-25 06:04:16 PM, Dennis Gilmore wrote:
> Products to be evaluated:
>
>
http://pki.fedoraproject.org/wiki/PKI_Main_Page
>
https://www.openca.org/
>
http://ejbca.sourceforge.net/
> Something custom
We took a quick look at some of these in IRC, and I'd personally prefer
something that doesn't use LDAP for storage (since we didn't end up
going with LDAP for FAS, and it seems like overkill for just the CA).
Even not using LDAP for all of FAS, there's still a lot of things we
could export from the db -> ldap to be more easily used and accessible.
So I wouldn't discount LDAP just because it's not the backing store of
FAS.
I haven't looked too deeply yet, but I'm currently leaning
towards
something custom. Would certmaster possibly be a good project to work
on for providing this kind of functionality?
Also, going off and building our own thing feels like it's going to be a
long-term detriment. Some of the bits for proper CRLs and the like are
not trivial and very important to get "right"
Jeremy