gorshing
19-01-2007 15:42:51
I honestly haven't been to a meeting in quite a while. But I was wondering if anybody has had experience with certificates. Such as being a Certificate Authority (CA) and issuing certificates. Has this been a training topic in the past (which I probably have missed) or will this be in the (hopefully near) future?
wolfie
21-01-2007 09:41:48
This is really hard to answer on the basis of being a little vague. PKI is quite a massive topic and really can be confusing if you are not familiar with some concepts.
If you are trying to setup a comprehensive Infrastructure as opposed to just a home setup you have a lot of different things to consider.
Like for instance in a corporate environment you have to take things into consideration like, do you control all the PC's or clients in your infrastructure, and can you easily push out your root certificate to all those clients easily? What about in three or so years when the cert expires? Do you have customers or outside parties that need to trust your root CA, or does it need to be trusted by the likes of Verisign or Thawte?
Most third-party cert providers offer a service where you can get a cert from them that will allow you to cut your own verisign trusted certs, but that comes with a lot of stipulations and insurance and an infrastructure that you have to show due dilligence to protect.
Of course if you are doing this for a company you will want to guard that infrastructure very well. Always have an offline root, never ever connect that machine to a network, ever.
Then you have a working certificate authority to service requests and validation and of course you will need a location, that is very public, to host your public certificate. You will have to make the decision on whether you need to place the certificate in a place that is accessible to external people or just internal to the company network.
As you can see this is not a simple topic, so if you have some specific questions, I might be able to help, but without that it is a broad subject. And don't get me started on all the options you have if you want to roll this into and Active Directory infrastructure....:)
Hope this helps out a little.
gorshing
20-07-2007 19:00:11
I posted my question as being vague for a reason, I am just curious of what experience anybody has had with it.
I mainly only use CACert for all my certificates, I signed up for Thwate's WoT but haven't done anything with it. Are any of you a member or assurer of these WoT's?
As for client PC's, I have worked on small internal system's where I could guarantee the user would have their own certificate and I authenticated from that. I am currently working on a system where the users of the system are not part of the domain and might even be using a public computer (such as one at local libraries). Being a trusted Root CA hasn't been an issue as of yet, because this system is only for affixing digital signatures on documents.
For certificate expiration, we are hoping to use three years and the user will not be able to renew the certificate but to request a new one.
I haven't tried nor know anybody who has tried to obtain an issuing certificate from Verisign or the like. I am interested to hear about this; you seem to imply you have had experience with this.
As for a root CA, yes we have it offline as a VM.
One thing I am surprised is the low number of people who know how to trust a CA. Even the developers that I know do not do this. They are just accustomed to clicking the link to view the https site and do not think anything about it.
As for issuing certificates, have you used the certificate templates? What I mean by that (hopefully my terminology is correct) is ignoring all/most fields in the certificate request and using the ones you have set up yourself. What all custom fields do you let the client specify? Do you use one certificate for all functions/EKU: code signing, authentication ... etc. Or do you use one certificate for each function.