[Fedora-directory-users] FDS & Red Hat Certificate System

Richard Megginson rmeggins at redhat.com
Wed Mar 29 21:40:03 UTC 2006


Susan wrote:
> Hi, everyone.  I think this subject has been briefly raised before but I've more questions.
>
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
>   
Yes.  You go to the RHCS web interface, click "Get CA Cert Chain", and 
you can download or copy/paste the CA cert for use with client apps (or 
importing into your web browser or email program or etc.).  This assumes 
you are using RHCS as your CA.
> Has anybody done this?
>   
We used this extensively at Netscape.
> RHCS doesn't seem to be opensourced.  Is there a reliable free alternative?
>   
I don't know.
> The problem I'm trying to solve is that my CA cert is self-signed.  I guess even if it weren't,
> the management is a little concerned about MITM attacks against the FDS, so we need a way to
> verify that the server saying that it's our FDS really is the FDS.
The only way to do this is to have a real FQDN as the cn of your server 
cert subject DN.  When the server presents its cert during the SSL 
handshake, the client can verify that the CA (whose cert you have in the 
client cert db) signed the server's cert, and that the hostname in 
subject DN in the server cert corresponds to the hostname that the 
server is on (reverse DNS lookup of the IP address of the server).
> Right now no certs are
> deployed on the clients, we're using them only for SSL traffic encryption. 
>   
Do you mean client cert auth?
> What's the best way to go about doing this?  I don't want to manually create/deploy dozens of
> certs for various clients.
CA certs or client certs?  For the CA cert problem, AFAIK, there is no 
way around it - you have to configure your clients to trust your CA one 
way or another.  You can mitigate this somewhat by going through the 
process of getting a real CA cert from one of the trusted root CAs 
listed in your web browser or email client.
> I also need a way to implement CRL somehow, in case a box is
> comprosmised.
>   
RHCS also implements CRL generation and publishing, and also supports 
OCSP.  One of our engineers is developing a mod_revocator Apache module 
which will automatically get CRLs for Apache certificate status checking 
(for servers and clients).
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060329/bbd55941/attachment.bin>


More information about the Fedora-directory-users mailing list