-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Brian Becker Sent: Monday, August 24, 2009 9:44 To: CentOS mailing list Subject: Re: [CentOS] self signing certificates
On Mon, Aug 24, 2009 at 9:32 AM, Jerry Geisgeisj@pagestation.com wrote:
For "internal" applications what do people/places do?
We follow the design at VeriSign.
We have an offline master RootCA cert this has signed another offline PublicCA
The PublicCA is a machine which takes certificate signing requests (you can make these using openssl, or microsoft stuff, etc) and signs those out.
For development we have a non-public online DevCA that we use to sign test code, etc. This code never is intended to leave our dev lab. If the code is leaving the lab it will have to be singed by our PackageSingingCA(online), which is signed by our PublicCA.
We have out RootCA pushed to all of our servers and workstations. It is also available via http://ca.pdinc.us.
The DevCA is manually installed by each user on each machine that wants it. It also expires every 110 days, and we make a new one every 90 days.
Hope this helps.
It would be nice to be seamless and have the "your not
trusted" window
pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the
internet are
not using it.
I presume there is no way to by-pass the certificate
signing process -
even for internal apps. Is there?
Nope.
Thanks,
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you are in a windows domain you can distribute the public certificate of your "signing authority" using active directory. This will prevent IE from showing the untrusted warning. Otherwise you can install the public certificate into the users web browser and any certs you sign will show as trusted.
A good source of how to do this on OS/Application X:
http://wiki.cacert.org/wiki/BrowserClients#ImportintoMicrosoftActiveDirector... upPolicyobject
If you can give an idea of what platform/browser I can provide more specifics.
Brian _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.