From: Richard Megginson <rmeggins(a)redhat.com> Susan wrote:
> >oops, you're right, I didn't think that through. Of course.
> >it just seems that managing CA certs on the clients would be a real pain.
Indeed it is, if you have to update thousands of clients with the CA
cert. But then, if you have such a large deployment, you will probably
find it beneficial to apply for a real CA cert from Verisign or some
such, and use a real CA.
That's why it's so important to generate a proper CA cert in the first
place, and keep it safe. I see many people on mailing lists talking
about how they generated a single self-signed cert and are using it as
their actual server cert. No matter how much time we spend explaining
why this is a stupid idea, they still do it. I'm not a big fan of paying
real money for a random string of bits, and even Verisign has made
screwups in the past. Basically as long as you keep the CA's private key
safe, there shouldn't be any problem running with your own CA cert.
Red Hat Certificate System has support for web based cert issuance. It
supports CRL generation and has an OCSP responder. It can generate
certs and automatically publish them to an LDAP server (e.g. to generate
the userCertificate attribute for users).
Since we're on the topic, Symas has a CA module for OpenLDAP that
generates certs on the fly for authenticated users. Naturally since it
executes inside slapd, the cert is automatically stored in the user's
LDAP entry. It's been part of our Connexitor EMS suite since 1999, works
> >Besides, is there any way within this whole FDS framework to revoke Certs?
This issue is outside of Fedora DS. It's more of an issue with your PK
infrastructure and your CA.
> >If the ldap server is
> >compromised, how do I tell the clients not to trust it (or the CA or both)
If the CA is compromised, all bets are off. Life can get ugly when the
CA cert expires too...
Revoke the cert on the CA, and have the CA generate a CRL. Then, push
out this CRL to all of your clients. I'm not sure how to do this with
openssl, but NSS provides a command line tool called crlutil that can be
used to install a CRL into your cert database.
Mozilla/Firefox/Thunderbird can do this automatically.
Newer OpenSSL (Certainly 0.9.8, but possibly also 0.9.7) versions can do
CRL checking automatically, but you still must configure a source of
CRLs to check. It's a bit more tedious in 0.9.6 and older.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/