[CentOS] self signing certificates
Paul Heinlein
heinlein at madboa.com
Tue Aug 25 15:30:00 UTC 2009
On Mon, 24 Aug 2009, aurfalien at gmail.com wrote:
> I would go buy a cert.
>
> They aren't much money and you can specify the granularity you want
> the cert to have, the more granularity, the higher the cost but they
> are not that much anyways.
The difficulty with purchased certificates is timely revocation,
since, as you note,
> After all, 75% of breaches occur form within. You can take that how
> ever you want but the days of a soft nougatine LAN are over.
An in-house Certificate Authority can revoke, say, a locally issued
OpenVPN certificate very quickly. If HR calls you aside for a quick
and quiet meeting to halt all network access for Jane Employee, having
the ability to revoke her certificate(s) by the time she's ushered
from the building is nearly essential.
The same thing is true if a user's laptop is stolen. An employee
called me early one Sunday morning to let me know that someone had
broken into his house and stolen, among other things, his laptop. He
had things encrypted, but it was still very reassuring to everyone
that I was able to revoke his VPN cert within a few minutes.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS
mailing list